Andariel, designated as a sub-group of the Lazarus Group APT, has historically targeted South Korean organzations.
Andariel, a subdivision of the Lazarus Group APT associated with North Korea, is behind a recent attack campaign that uses malicious Word documents and files that mimic PDFs, Kaspersky researchers report.
This group has previously targeted South Korean businesses and government agencies; in this attack, its victims also appear to be South Korean entities.
Researchers say they observed a suspicious Word document with a Korean file name and decoy with an unusual infection scheme and an unfamiliar payload. Further analysis revealed a connection to Andariel; researchers noticed code overlaps between the second stage payload in this campaign and previous malware from the Andariel group. There were other characteristics connecting this malware to Andariel, researchers report.
“Each threat actor has characteristics when they interactively work with a backdoor shell in the post-exploitation phase,” they wrote in a report on the findings. “The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity.”
Kaspersky says Andariel has been spreading the third stage payload using malicious Word documents since the middle of 2020.
Details on the attack campaign can be found here.
Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio