Rewterz Threat Alert – Andariel Group Evolves to Target South Korea With Ransomware

Severity

High

Analysis Summary

In April 2021, a suspicious Word document with a Korean file name and decoy was detected. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, researchers came to the conclusion that the Andariel group was behind these attacks. Andariel is considered a sub-group of Lazarus. The threat actor has been spreading the third stage payload from the middle of 2020 onwards and leveraged malicious Word documents and files mimicking PDF documents as infection vectors. In addition to the final backdoor, one victim was discovered getting infected with custom ransomware. It adds another facet to this Andariel campaign, which also sought financial profit in a previous operation involving the compromise of ATMs.

Impact

• Credential theft
• Data Exfiltration 
• Information Disclosure

Indicators of Compromise

IP

• 198[.]55[.]119[.]112
• 45[.]58[.]112[.]77
• 23[.]229[.]111[.]197
• 185[.]208[.]158[.]208

MD5

• ed9aa858ba2c4671ca373496a4dd05d4
• 71759cca8c700646b4976b19b9abd6fe
• 3ba4c71c6b087e6d06d668bb22a5b59a
• d5e974a3386fc99d2932756ca165a451
• f4d46629ca15313b94992f3798718df7
• 118cfa75e386ed45bec297f8865de671
• 53648bf8f0121130edb42c626d7c2fc4
• 1bb267c96ec2925f6ae3716d831671cf
• 0812ce08a75e5fc774a114436e88cd06
• 145735911e9c8bafa4c9c1d7397199fc
• f3fcb306cb93489f999e00a7ef63536b
• 0ecfa51cd4bf1a9841a07bdb5bfcd0ab
• 4d30612a928faf7643b14bd85d8433cc
• df1e7a42c92ecb01290d896dca4e5faa
• ef3a6978c7d454f9f6316f2d267f108d
• 33c2e887c3d337eeffbbd8745bfdfc8f
• bf4a822f04193b953689e277a9e1f4f1
• 6e710f6f02fdde1e4adf06935a296fd8
• 38917e8aa02b58b09401383115ab549e
• 67220baf2a415876bee2d43c11f6e9ad
• 3bf9b83e00544ac383aaef795e3ded78
• 159ad2afcab80e83397388e495d215a5
• 8b378eabcec13c3c925cc7ca4d191f5f
• 5b387a9130e9b9782ca4c225c8e641b3
• 62eae43a36cbc4ed935d8df007f5650b
• eef723ff0b5c0b10d391955250f781b3
• d1a99087fa3793fbc4d0adb26e87efce
• d63bb2c5cd4cfbe8fabf1640b569db6a
• fffad123bd6df76f94ffc9b384a067fc
• abaeecd83a585ec0c5f1153199938e83
• 569246a3325effa11cb8ff362428ab2c
• 3b494133f1a673b2b04df4f4f996a25d
• fc3c31bbdbeee99aba5f7a735fac7a7e
• d96fcd2159643684f4573238f530d03b

SHA-256

• f1eed93e555a0a33c7fef74084a6f8d06a92079e9f57114f523353d877226d72
• 79e15cc02c6359cdb84885f6b84facbf91f6df1254551750dd642ff96998db35
• a6ed3fe39d0956182c0ba9b57966cb8ae84ea029aa8d726f5bef9e7637f549f8
• 0193bd8bcbce9765dbecb288d46286bdc134261e4bff1f3c1f772d34fe4ec695
• 0996a8e5ec1a41645309e2ca395d3a6b766a7c52784c974c776f258c1b25a76c
• ed5fbefd61a72ec9f8a5ebd7fa7bcd632ec55f04bdd4a4e24686edccb0268e05
• 2dff6d721af21db7d37fc1bd8b673ec07b7114737f4df2fa8b2ecfffbe608a00
• 6310cd9f8b6ae1fdc1b55fe190026a119f7ea526cd3fc22a215bda51c9c28214
• b59e8f44822ad6bc3b4067bfdfd1ad286b8ba76c1a3faff82a3feb7bdf96b9c5
• ab194f2bad37bffd32fae9833dafaa04c79c9e117d86aa46432eadef64a43ad6
• f4765f7b089d99b1cdcebf3ad7ba7e3e23ce411deab29b7afd782b23352e698f
• f6ab4e92dadd831dbc02a3cc27d2f6aee4f39e1743485638c8aa2c09341eda49
• 1177105e51fa02f9977bd435f9066123ace32b991ed54912ece8f3d4fbeeade4
• 4da0ac4c3f47f69c992abb5d6e9803348bf9f3c6028a7214dcabec9a2e729b99
• 9137e886e414b12581852b96a1d90ee875053f16b79be57694df9f93f3ead506
• d26987b705f537b10a11fb9913d0acc0218a0c0ae5f27e6f821d6d987b1cd4c7
• b0d6aee39e988196fdc821895a1f1aa63d1c032ea880c26a15c857068f34bfd9
• 868a62feff8b46466e9d63b83135a7987bf6d332c13739aa11b747b3e2ad4bbf
• f13aff9e1192c081c012f974b29bf60487385eed644d506d7f82b3538c2b035f
• 0e447797aa20bff416073281adb09b73c15433ab855b5cdb2d883f8c2af9c414
• 4d03a981bed15a3bd91f36972d7391b39791c582bb2959a9be154a74bd64db31
• 69bac736f42e37302db7eca68b6fc138c3aa9a5c902c149e46cce8b42b172603
• e83f5e0a51845d7078a3aca8ca7a5b786e8bdf284efd3e08b3472dbf3e098930
• 1892b72c053ab48edae8305ef449f2b5391921efea8b1d7c37d6d29f59edc92e
• 7d7dc8125a26d9515d90a66bfd20d609820197c879030cb932d39b1c2998e9d4
• 87f389d8f3a63f0879aa9d9dfbbd2b2c9cf678b871b704a01b39e1eaa234020c
• 0dc3f66f4af3250f56a32f8e1b9e772c514f74718358d19c195e3950d370ea01
• d0fa0bfef8b199a42f4f33145274576e5a7edeb5522fb342af41fdc16e9021e2
• da787cf1f4fd829dd4a7637bec392438b793c5f9c920560197545d20b58691af
• d231f3b6d6e4c56cb7f149cbc0178f7b80448c24f14dced5a864015512b0ba1f
• ebe4befd2a7f941baa65248d5dea09de809e638ec8e8caffae322aa3b6863c1c
• f62adc678eaadc019277640e6695143a45336c2f91019f5d9308812db1d07285
• 2f53109e01c431c1c1acec667adee07cf907cdc4d36429022f915654c9b7113b
• ce534eb8de37b392b25546bfd1bb3c95c96ae6d14524a9241d2fffc02ae7b9c5

SHA1

• 997885451c6629d5da8fd9bd70f0f9977eb8787a
• dbdb4a74fc9c9cd1e1607007dcc04f92b74b2b3a
• e586f9a84c467401db3f492ff7aaf88e3686f415
• 02483dd58e0171881d33a6a66b22a8b1052bcea7
• 98d6417addec8607f1b62cc52123be76424befc0
• 43ef1dd0097da941dbcf64f00a790d6aae3a82f4
• 6d264e102fc281bb79243b3171d38a23f44a8de2
• 5bb9faff8ff2b79700529cea46bc24814ce3ab33
• d13f289c9dcc9aededdfcde7eabc75d35a240372
• d0c8a7efa1d9e7b9b8a570075a0df16fe2f3c67e
• 727945fa45fd748f0ce03e0b8468e8fab3b05bc4
• a0828781b770914f15d7c81f44a953cb7d0f0010
• f632336918ab18ba397a5dd2f956d58c58a5f6ab
• a01318a2ae2cd1cc83c4c8531f8e6c4f9e3306b3
• f72cfe9b09c196f62da6bdc99dca6266bfb1a065
• df694ff44fe7d43dcc1d7eedd33253839347bbeb
• 032678cd7f48a6f5a1516daf897d05953076a4ce
• ab76f74f61428d15ab4e1dacc0824d1770c34689
• 64b4c02d1d42b36bc87a7b5d92a287b1b3b15328
• 6b441c1f107ebad85e01b87dbbdbaa18ef2b41c5
• 0eb4e40416ce2c1df30a01bc54bb21b17370b966
• ca7c2f05f49e9208ddc252e44812c2bdbbedcb80
• 4bc32527b96ba5a0d37f6ad182974c2c8c97a4a7
• 226fe3317091d2f8c615b795ec1eeed69e530ec4
• c85f661a53b9deab53100670200a5a0e745c134c
• 35a4287e9688a83bf22aa5af35e2b35f9e9e84a6
• ff57e56c9ffeb0c66ef6e23edbd5124dfba96c59
• 01e0ccc0abb31b624c024933361637779fd8f368
• 6a6f362e4d93bd7dc1342c0c6c329dfb46b92925
• f890ca1860cd53dda6d97ef7616baf26ef3686a7
• faa5068d6129c5e6d2304f83fec63ed1e1901d0c
• 5028fd6fcbd431ada4bbabdb32cf4f0412a328ec
• 5e0ecb4f8776d4273d3e35bab784fc2d5689c625
• a2831445c73e6010e3ca50678fb5d49fbce13347

URL

• hxxp[:]//ddjm[[.]]co[[.]]kr/bbs/icon/skin/skin
• hxxp[:]//mail[[.]]sisnet[[.]]co[[.]]kr/jsp/user/sms/sms_recv
• hxxp[:]//snum[[.]]or[[.]]kr/skin_img/skin
• hxxp[:]//www[[.]]allamwith[[.]]com/home/mobile/list
• hxxp[:]//www[[.]]conkorea[[.]]com/cshop/banner/list
• hxxp[:]//www[[.]]ddjm[[.]]co[[.]]kr/bbs/icon/skin/skin
• hxxp[:]//www[[.]]jinjinpig[[.]]co[[.]]kr/Anyboard/skin/board

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.