This year in April, a suspicious Word document was spotted that had a Korean file name and decoy. On analysis, researchers found a unique infection pattern and an unknown payload. Who’s responsible?

Initially, this series of attacks was attributed to the Lazarus APT group by Malwarebytes. However, after further analysis, the attacks were precisely attributed to the Andariel group. The Korean Financial Security Institute designated Andariel as a sub-group of Lazarus.   

About Andariel

The group is infamous for launching attacks on South Korean businesses and organizations with customized tactics for greater success. Andariel was first spotted in May 2016 and since then its tools and techniques have witnessed considerable evolution. The attacks on South Korean entities have proved that it is a financially motivated state-sponsored threat actor. 

Why does it matter?

  • North Korea is responsible for orchestrated efforts aiming to infiltrate financial institutions in South Korea and around the globe.    
  • Andariel, apart from installing a backdoor, also delivered file-encrypting ransomware to a victim, implying that the attacks are financially motivated.
  • The ransomware sample is tailored for this particular attack. 

The bottom line

It should be noted that Andariel is notorious for its attempts at stealing bank card information by hacking into ATMs to draw cash or sell the information on the dark market. Being a sub-group of Lazarus, it can be expected that Andariel is going to be a bigger threat in the near future. With considerable improvements in its tactics, techniques, and procedures, a robust cybersecurity posture should be implemented by organizations.

Cyware Publisher

Publisher

Cyware