New Andariel Reconnaissance Tactics Hint At Next Targets
(Jul 16, 2018)
Trend Micro and IssueMakersLab researchers have produced a report detailing new reconnaissance tactics that they attribute to the threat group “Andariel Group.” The Andariel Group is known to be a branch of the Advanced Persistent Threat (APT) group “Lazarus Group” (also known as HIDDEN COBRA) that is attributed to the Democratic People’s Republic of Korea (DPRK) government. Researchers found that on June 21 the group had injected a script on to the website of a Korean non-profit organization that would collect visitor’s information entered into said website. The collected data consisted of browser type, Flash Player version, multiple ActiveX objects, Silverlight version, and system language. This reconnaissance campaign lasted until June 27, 2018.
Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.