Lazarus’ offshoot Andariel spotted conducting reconnaissance campaign against South Korea

• Andariel is a known branch of the Lazarus hacker group.
• Andariel has historically targeted businesses and government agencies.

South Korea is a common target for North Korean state-sponsored hacker groups. The nation is now being targeted by the Andariel group - a known cyberespionage arm of the infamous North Korean hacker group Lazarus.

While Lazarus is considered to be a financially motivated hacker group, targeting banks, casinos and, of late, cryptocurrency exchanges, Andariel targets businesses and government agencies.

GoldenAxe campaign

According to security researchers at Trend Micro, who have been monitoring Andariel’s recent activities, the group has been fairly active over the past few months. The hackers have been involved in a campaign dubbed “GoldenAxe”, using the ActiveX zero-day exploit to conduct watering hole attacks. According to IssueMakersLab, Andariel has been attacking ActiveX vulnerabilities since as far back as 2007.

As recently as June 21, Trend Micro researchers discovered Andariel injecting its code onto four compromised South Korean websites. One of the sites belonged to a Korean non-profit organization while the rest belonged to local government labor union groups. The entire reconnaissance stage lasted till June 27.

Modus operandi

The structure and the obfuscation of the malicious code is similar to that used by Andariel in previous campaigns. In this case, the malicious code was used to collect information such as the targeted system’s browser type, language, Flash Player version, Silverlight version and more.

“We found that the code of the new injected script is similar to the sample Andariel previously used in May. However, the new script was trying to collect different ActiveX object information and targeted objects that it wasn’t attacking before,” Trend Micro researchers wrote in a blog.

In the earlier case, the group collected targeted ActiveX objects on users’ Internet Explorer browser before they used the zero-day exploit,” the researchers added.“This was possibly part of their reconnaissance strategy, to find the right targets for their exploit. Based on this, we believe it’s likely that the new targeted ActiveX objects we found could be their next targets for a watering hole exploit attack.”

Andariel was also spotted targeting a South Korean think tank in January 2017. The group also targeted a South Korea-based voice conversion software provider, whose products and services are used by various local government entities and public organizations. These infections indicate Andariel is expanding its operations and target base.

“Reconnaissance is the stage where attackers collect information from potential targets to help them determine what tactics will work,” Trend Micro researchers concluded. “These new developments from the Andariel group give us an idea of their plans, although we cannot make specific assumptions about their strategy.”