Skip to content

G0138 Andariel

Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. Andariel has primarily focused its operations–which have included destructive attacks–against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. Andariel‘s notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.45123

Andariel is considered a sub-set of Lazarus Group, and has been attributed to North Korea’s Reconnaissance General Bureau.6

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

Item Value
ID G0138
Associated Names Silent Chollima
Version 1.0
Created 29 September 2021
Last Modified 30 November 2022
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Silent Chollima 3

Techniques Used

Domain ID Name Use
enterprise T1005 Data from Local System Andariel has collected large numbers of files from compromised network systems for later extraction.4
enterprise T1189 Drive-by Compromise Andariel has used watering hole attacks, often with zero-day exploits, to gain initial access to victims within a specific IP range.12
enterprise T1203 Exploitation for Client Execution Andariel has exploited numerous ActiveX vulnerabilities, including zero-days.452
enterprise T1592 Gather Victim Host Information -
enterprise T1592.002 Software Andariel has inserted a malicious script within compromised websites to collect potential victim information such as browser type, system language, Flash Player version, and other data.2
enterprise T1590 Gather Victim Network Information -
enterprise T1590.005 IP Addresses Andariel has limited its watering hole attacks to specific IP address ranges.1
enterprise T1105 Ingress Tool Transfer Andariel has downloaded additional tools and malware onto compromised hosts.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.003 Steganography Andariel has hidden malicious executables within PNG files.78
enterprise T1588 Obtain Capabilities -
enterprise T1588.001 Malware Andariel has used a variety of publicly-available remote access Trojans (RATs) for its operations.4
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Andariel has conducted spearphishing campaigns that included malicious Word or Excel attachments.17
enterprise T1057 Process Discovery Andariel has used tasklist to enumerate processes and find a specific string.8
enterprise T1049 System Network Connections Discovery Andariel has used the netstat -naop tcp command to display TCP connections on a victim’s machine.8
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Andariel has attempted to lure victims into enabling malicious macros within email attachments.1

Software

ID Name References Techniques
S0032 gh0st RAT 1 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Fast Flux DNS:Dynamic Resolution Symmetric Cryptography:Encrypted Channel Encrypted Channel DLL Side-Loading:Hijack Execution Flow Clear Windows Event Logs:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Application Layer Protocol Process Discovery Process Injection Query Registry Screen Capture Shared Modules Rundll32:System Binary Proxy Execution System Information Discovery Service Execution:System Services
S0433 Rifdoor 1 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Symmetric Cryptography:Encrypted Channel Obfuscated Files or Information Binary Padding:Obfuscated Files or Information Spearphishing Attachment:Phishing System Information Discovery System Network Configuration Discovery System Owner/User Discovery Malicious File:User Execution

References

  1. AhnLab. (2018, June 23). Targeted attacks by Andariel Threat Group, a subgroup of the Lazarus. Retrieved September 29, 2021. 

  2. Chen, Joseph. (2018, July 16). New Andariel Reconnaissance Tactics Uncovered. Retrieved September 29, 2021. 

  3. CrowdStrike. (2021, September 29). Silent Chollima Adversary Profile. Retrieved September 29, 2021. 

  4. FSI. (2017, July 27). Campaign Rifle - Andariel, the Maiden of Anguish. Retrieved September 29, 2021. 

  5. IssueMakersLab. (2017, May 1). Operation GoldenAxe. Retrieved September 29, 2021. 

  6. US Treasury . (2019, September 13). Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups. Retrieved September 29, 2021. 

  7. Jazi, H. (2021, April 19). Lazarus APT conceals malicious code within BMP image to drop its RAT . Retrieved September 29, 2021. 

  8. Park, S. (2021, June 15). Andariel evolves to target South Korea with ransomware. Retrieved September 29, 2021.