Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Andariel
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Andariel
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Andariel

Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. Andariel has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. Andariel's notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.(Citation: FSI Andariel Campaign Rifle July 2017)(Citation: IssueMakersLab Andariel GoldenAxe May 2017)(Citation: AhnLab Andariel Subgroup of Lazarus June 2018)(Citation: TrendMicro New Andariel Tactics July 2018)(Citation: CrowdStrike Silent Chollima Adversary September 2021) Andariel is considered a sub-set of Lazarus Group, and has been attributed to North Korea's Reconnaissance General Bureau.(Citation: Treasury North Korean Cyber Groups September 2019) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
ID: G0138
Associated Groups: Silent Chollima
Version: 1.0
Created: 29 Sep 2021
Last Modified: 24 May 2022

Associated Group Descriptions
Name Description
Silent Chollima (Citation: CrowdStrike Silent Chollima Adversary September 2021)

Techniques Used
Domain ID Name Use
Enterprise T1592 .002 Gather Victim Host Information: Software

Andariel has inserted a malicious script within compromised websites to collect potential victim information such as browser type, system language, Flash Player version, and other data.(Citation: TrendMicro New Andariel Tactics July 2018)
Enterprise T1590 .005 Gather Victim Network Information: IP Addresses

Andariel has limited its watering hole attacks to specific IP address ranges.(Citation: AhnLab Andariel Subgroup of Lazarus June 2018)
Enterprise T1027 .003 Obfuscated Files or Information: Steganography

Andariel has hidden malicious executables within PNG files.(Citation: MalwareBytes Lazarus-Andariel Conceals Code April 2021)(Citation: Kaspersky Andariel Ransomware June 2021)
Enterprise T1588 .001 Obtain Capabilities: Malware

Andariel has used a variety of publicly-available remote access Trojans (RATs) for its operations.(Citation: FSI Andariel Campaign Rifle July 2017)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Andariel has conducted spearphishing campaigns that included malicious Word or Excel attachments.(Citation: AhnLab Andariel Subgroup of Lazarus June 2018)(Citation: MalwareBytes Lazarus-Andariel Conceals Code April 2021)
Enterprise T1204 .002 User Execution: Malicious File

Andariel has attempted to lure victims into enabling malicious macros within email attachments.(Citation: AhnLab Andariel Subgroup of Lazarus June 2018)

Software
ID Name References Techniques
S0433 Rifdoor (Citation: AhnLab Andariel Subgroup of Lazarus June 2018) (Citation: Carbon Black HotCroissant April 2020) Obfuscated Files or Information, System Information Discovery, Binary Padding, System Network Configuration Discovery, Registry Run Keys / Startup Folder, Spearphishing Attachment, Symmetric Cryptography, System Owner/User Discovery, Malicious File
S0032 gh0st RAT (Citation: AhnLab Andariel Subgroup of Lazarus June 2018) (Citation: Arbor Musical Chairs Feb 2018) (Citation: FireEye Hacking Team) (Citation: Moudoor) (Citation: Mydoor) (Citation: Nccgroup Gh0st April 2018) (Citation: Novetta-Axiom) Shared Modules, Modify Registry, Ingress Tool Transfer, Process Injection, Rundll32, Service Execution, DLL Side-Loading, Command and Scripting Interpreter, Query Registry, Deobfuscate/Decode Files or Information, Symmetric Cryptography, Non-Application Layer Protocol, Native API, Process Discovery, Windows Service, Registry Run Keys / Startup Folder, Clear Windows Event Logs, System Information Discovery, File Deletion, Screen Capture, Fast Flux DNS, Keylogging, Standard Encoding, Encrypted Channel

References

  1. FSI. (2017, July 27). Campaign Rifle - Andariel, the Maiden of Anguish. Retrieved September 29, 2021.
  2. IssueMakersLab. (2017, May 1). Operation GoldenAxe. Retrieved September 29, 2021.
  3. Chen, Joseph. (2018, July 16). New Andariel Reconnaissance Tactics Uncovered. Retrieved September 29, 2021.
  4. AhnLab. (2018, June 23). Targeted attacks by Andariel Threat Group, a subgroup of the Lazarus. Retrieved September 29, 2021.
  5. Jazi, H. (2021, April 19). Lazarus APT conceals malicious code within BMP image to drop its RAT . Retrieved September 29, 2021.
  6. Park, S. (2021, June 15). Andariel evolves to target South Korea with ransomware. Retrieved September 29, 2021.
  7. CrowdStrike. (2021, September 29). Silent Chollima Adversary Profile. Retrieved September 29, 2021.
  8. US Treasury . (2019, September 13). Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups. Retrieved September 29, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.