A malware campaign targeting South Korean organizations was attributed to a North Korean nation-state hacking group called Andariel. This development shows that Lazarus attackers are keeping up with trends and expanding their arsenal, according to The Hacker News.
Kaspersky Lab stated in a detailed report, “The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity”. The attack affected the lives of people working in manufacturing, home network services, media, and construction.
Andariel, a member of the Lazarus Constellation, is notorious for launching attacks on South Korean organizations and businesses. The subgroup, along with Lazarus and Bluenoroff, was sanctioned by the U.S. Treasury Department in September 2019 for hostile cyber activity on vital infrastructure.
North Korea is attempting to hack into South Korean financial institutions
North Korea is behind an increasingly coordinated effort to infiltrate the computers of financial institutions in South Korea and around the world. Simultaneously, it orchestrates cryptocurrency thefts to try to evade the stranglehold of economic sanctions imposed to halt the development of its nuclear weapons program.
Kaspersky’s findings build on an earlier report from Malwarebytes in April 2021. Based on these findings, the cybersecurity company documented a novel infection chain that distributed phishing emails and that drops a remote-access Trojan (RAT) on target systems.
According to the latest investigation, the new malware works in a similar manner. In addition to installing a backdoor, the threat actor can transmit file-encrypting ransomware to one of its victims, suggesting a financial motivation. It should be noted that Andariel has attempted to steal bank card data in the past by hacking into ATMs to capture cash or selling customer data on the black market.
The ransomware is designed to encrypt all files except those with the system-critical extensions “.exe”, “.dll”, “.sys”, “.msiins”, and “.drv”. As expected, it demands a Bitcoin payment to gain access to a decryption software and a unique key to unlock the encrypted data.
The overlap in the XOR-based decryption routine was introduced into the group’s methods back in 2018. The commands issued on victims’ workstations after the exploit led Kaspersky to identify Andariel.