Andariel, designated as a sub-group of the Lazarus Group APT, has historically targeted South Korean organzations.

Dark Reading Staff, Dark Reading

June 16, 2021

1 Min Read

Andariel, a subdivision of the Lazarus Group APT associated with North Korea, is behind a recent attack campaign that uses malicious Word documents and files that mimic PDFs, Kaspersky researchers report. 

This group has previously targeted South Korean businesses and government agencies; in this attack, its victims also appear to be South Korean entities. 

Researchers say they observed a suspicious Word document with a Korean file name and decoy with an unusual infection scheme and an unfamiliar payload. Further analysis revealed a connection to Andariel; researchers noticed code overlaps between the second stage payload in this campaign and previous malware from the Andariel group. There were other characteristics connecting this malware to Andariel, researchers report. 

"Each threat actor has characteristics when they interactively work with a backdoor shell in the post-exploitation phase," they wrote in a report on the findings. "The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity."

Kaspersky says Andariel has been spreading the third stage payload using malicious Word documents since the middle of 2020.

Details on the attack campaign can be found here.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights