Andariel Cybercriminal Group Targets South Korean Users

In April 2021, cybersecurity experts identified a new email spam campaign, which targeted Korean users with the use of decoy documents that were laced with malicious scripts. The goal of the campaign was to deliver a malicious payload that does not appear to be related to previously known malware families. After analyzing the malware's behavior and infrastructure, researchers noticed that both these aspects of the attack were oddly similar to previous campaigns carried out by the Lazarus APT. They believe that the April campaign was carried out by a sub-group of the Lazarus Advanced Persistent Threat (APT) actor that is currently referred to as Andariel.

The Andariel Criminal Group has been relying on a custom backdoor for their recent campaign, but some of the victims were also infected with ransomware at a later stage. Tracking the activity of the Andariel Criminal Group shows that they were previously involved in a financially motivated attack, which targeted ATM devices.

Victims of the Andariel Criminal Group in April were approached through macro-laced documents delivered via emails. The attacks target entities and users in South Korea primarily, and it appears that the criminals are manually deploying additional payloads after the initial backdoor infection is complete. The ransomware they use is also custom-built, but it is similar to other file-lockers circulating on the Internet. Andariel Criminal Group's ransomware will:

  • Encrypt files, ignoring critical system files like EXE, SYS, DLL, etc.
  • Ask the victim to pay a ransom fee via Bitcoin.
  • Provide a victim ID and the attacker's email address for contact.

Judging by Andariel Criminal Group's previous attack against ATMs and the currently active ransomware campaign, it is safe to assume that the group's operations are mostly financially motivated. This sub-group of the Lazarus APT appears to be picking up its activity, so it might not be long before more details about its operations and malware surfaces.