Andariel Hacking Group Shifts Focus to Financial Attacks on U.S. Organizations

Three different organizations in the U.S. were targeted in August 2024 by a North Korean state-sponsored threat actor called Andariel as part of a likely financially motivated attack.

“While the attackers didn’t succeed in deploying ransomware on the networks of any of the organizations affected, it is likely that the attacks were financially motivated,” Symantec, part of Broadcom, said in a report shared with The Hacker News.

Andariel is a threat actor that’s assessed to be a sub-cluster within the infamous Lazarus Group. It’s also tracked as APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Operation Troy, Silent Chollima, and Stonefly. It’s been active since at least 2009.

An element within North Korea’s Reconnaissance General Bureau (RGB), the hacking crew has a track record of deploying ransomware strains such as SHATTEREDGLASS and Maui, while also developing an arsenal of custom backdoors like Dtrack (aka Valefor and Preft), TigerRAT, Black RAT (aka ValidAlpha), Dora RAT, and LightHand.

Some of the other lesser-known tools used by the threat actor include a data wiper codenamed Jokra and an advanced implant called Prioxer that allows for exchanging commands and data with a command-and-control (C2) server.

In July 2024, a North Korean military intelligence operative part of the Andariel group was indicted by the U.S. Department of Justice (DoJ) for allegedly carrying out ransomware attacks against healthcare facilities in the country and using the ill-gotten funds to conduct additional intrusions into defense, technology, and government entities across the world.

The latest set of attacks is characterized by the deployment of Dtrack, as well as another backdoor named Nukebot, which comes with capabilities to execute commands, download and upload files, and take screenshots.

“Nukebot has not been associated with Stonefly before; however, its source code was leaked and this is likely how Stonefly obtained the tool,” Symantec said.

The exact method by which initial access was abstained is unclear, although Andariel has a habit of exploiting known N-day security flaws in internet-facing applications to breach target networks.

Some of the other programs used in the intrusions are Mimikatz, Sliver, Chisel, PuTTY, Plink, Snap2HTML, and FastReverseProxy (FRP), all of which are either open-sourced or publicly available.

The attackers have also been observed using an invalid certificate impersonating Tableau software to sign some of the tools, a tactic previously disclosed by Microsoft.

While Andariel has seen its focus shift to espionage operations since 2019, Symantec said its pivot to financially motivated attacks is a relatively recent development, one that has continued despite actions by the U.S. government.

“The group is likely continuing to attempt to mount extortion attacks against organizations in the U.S.,” it added.

The development comes as Der Spiegel reported that German defense systems manufacturer Diehl Defense was compromised by a North Korean state-backed actor referred to as Kimsuky in a sophisticated spear-phishing attack that involved sending fake job offers from American defense contractors.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.