Andariel APT and South Korean security vendor
Another sub-group of Lazarus, Andariel APT group, has been conducting new efforts to build a new C2 infrastructure targeting vulnerable Weblogic servers through exploiting CVE-2017-10271. This tactic has proven effective after a successful breach by the attackers who implanted malware signed with a legitimate signature belonging to a South Korean security software vendor. The malicious signature has been revoked through the quick response of South Korean CERT.
Traditionally focused on geopolitical espionage and financial intelligence in South Korea, Andariel is also using a brand new type of backdoor dubbed as ApolloZeus. This complex and discreet backdoor uses a relatively large shellcode in order to make analysis difficult.
Based on Kaspersky’s investigation of the artifact found, the group’s attack is an early preparation stage for a new campaign.
“Targeted attacks against financial institutions combine sophisticated techniques – that were previously seen only in APT attacks – with typical criminal infrastructures used to launder the stolen goods. In Q3, we’ve seen advanced threat actors such as Andariel and Lazarus’ BlueNoroff arm attempting to breach not only banks, but investment companies and cryptocurrency exchanges, among others. We advise all companies in APAC to be vigilant and take precautions to guard against such attacks,” says Costin Raiu, Director of Global Research & Analysis Team at Kaspersky.
DADJOKE and geopolitical entities in Southeast Asia
Aside from the active Korean-speaking APT groups in Q3 2019, Kaspersky has also observed a recent campaign utilizing a piece of malware referred to by FireEye as DADJOKE hunting intelligence in Southeast Asia.
Researchers have monitored the use of this malware in a small number of campaigns during the beginning of the year against government, military, and diplomatic entities in the Southeast Asia region. The latest known movement of this malware was detected last August 29 involving a select few individuals working for a military organization.
“We have highlighted in our Q2 APT Report the increased attention Korean-focused APT campaigns have been giving towards different organizations and personalities in Southeast Asia and Korea. True to our prediction, we have monitored several malicious activities of Korean-speaking APT groups and new malware in both regions from July to September this year. Our observations suggest that most of them are intelligence-hungry, both for financial and geopolitical secrets,” comments Seongsu Park, senior security researcher at Kaspersky.
The Q3 APT Trends report summarizes the findings of Kaspersky’s subscriber-only threat intelligence reports, which also include Indicators of Compromise (IOC) data and YARA rules to assist in forensics and malware-hunting. For more information, please contact: intelreports@kaspersky.com .
The full Kaspersky Q3 APT Trends Report is available here: https://securelist.com/apt-trends-report-q3-2019/94530/ .