New Andariel Reconnaissance Tactics Hint At Next Targets

In cooperation with IssueMakersLab of South Korea

Reconnaissance plays a vital role in criminal operations, and some groups go to great lengths to investigate their targets’ systems. A recent example is the Andariel Group, a known branch of the notorious Lazarus Group. Last month we tracked new scouting techniques coming from Andariel, which were used mainly against South Korean targets.

Andariel has been quite active these past few months. According to South Korean security researchers IssueMakersLab, the group used an ActiveX zero-day exploit for watering hole attacks on South Korean websites last May—they called this “Operation GoldenAxe”. But more recently on June 21, we noticed that Andariel injected their script into four other compromised South Korean websites for reconnaissance purposes.

We found that the code of the new injected script is similar to the sample Andariel previously used in May. However, the new script was trying to collect different ActiveX object information and targeted objects that it wasn’t attacking before.

In the earlier case, the group collected targeted ActiveX objects on users’ Internet Explorer browser before they used the zero-day exploit. This was possibly part of their reconnaissance strategy, to find the right targets for their exploit. Based on this, we believe it’s likely that the new targeted ActiveX objects we found could be their next targets for a watering hole exploit attack. To help prevent any damage, we decided to publish our findings before the group deploys the attack.

Figure 1

Figure 1. Watering hole reconnaissance flow

Analysis of the Andariel techniques

On June 21, we found that the website of a Korean non-profit organization was compromised with an injected script that collected visitors’ information. We also found the same script on three South Korean local government labor union websites. This reconnaissance lasted until 27 June. We already notified the websites about the compromise.

We believe that the injected script came from the Andariel group since the code has similar obfuscation and structure to the sample we previously found from them. The script was used to collect information from visitors’ browser: browser type, system language, Flash Player version, Silverlight version, and multiple ActiveX objects.

The original script is from the PluginDetect Library, and it was also used by exploit kits to verify victims before an attack. The verification process included sending collected information to another compromised website that hosted their PHP program and was designed to receive the information.

Figure 2

Figure 2. Compromised website injected with malicious script that collects information

Our colleagues from the IssueMakersLab team shared insights and information about the Andariel group, including that they attacked ActiveX vulnerabilities as far back as 2007. The team monitoring Andariel found that the cybercriminal group injected a malicious script on a South Korean think tank website for reconnaissance in January 2017 and then switched to inject an ActiveX zero-day exploit in mid-April. IssueMakersLab also listed the ActiveX objects that the Andariel group attacked.

During analysis, we noticed that the new injected script was trying to detect two additional ActiveX objects that were not on the previous list. One is “DSDOWNCTRL.DSDownCtrlCtrl.1”, which is related to a DRM (Digital Rights Management) software from a South Korean Document Protection Security vendor. Another is “WSACTIVEBRIDGEAX.WSActiveBridgeAXCtrl.1”, which is related to a South Korea-based voice conversion software company. Many local governments and public institutions use these software.

We made a table to compare the information that the script samples collected in the previous case and this more recent case.

  Collected Information from Old Script Sample (May 2018)   Collected Information from New Script Sample (June 2018)
Parameter Meaning Parameter Meaning
w Website name w Website name
r value r value
o OS version o OS version
lv HTTP Accept-Language lv HTTP Accept-Language
bt Browser Information bt Browser Information
bv Browser Information bv Browser Information
bdv Browser Information bdv Browser Information
fv Flash Version fv Flash Version
silv Silverlight Version silv Silverlight Version
ez EasyPayPlugin ActiveX Availability ez EasyPayPlugin ActiveX Availability
ac ACUBEFILECTRL ActiveX Availability*
mg MagicLoaderX ActiveX Availability
nv NVersionMan ActiveX Availability
si SIClientAccess ActiveX Availability si SIClientAccess ActiveX Availability
du DUZONERPSSO ActiveX Availability du DUZONERPSSO ActiveX Availability
iw INIWALLET61 ActiveX Availability
 –  – ad admctrl ActiveX Availability
 –  – dw DSDownCtril ActiveX Availability**
 –  – ab WSActiveBridgeAX ActiveX Availability***
 –  – ve Voice Conversion Software “WSActiveBridge” WebSocket Availability****
* detection of the previous ActiveX zero-day object
** detection of the ActiveX object related to DRM software (one of the new targets)
*** detection of the ActiveX object related to voice conversion software (one of the new targets)
**** detection of the WebSocket related to voice conversion software (one of the new targets)

Table 1. Comparison of the information collected by the previous and new script

Besides the ActiveX objects, we noticed that the script added new code to connect websocket to localhost. The voice conversion software has websocket service listening on the local host so the injected script can detect the software by checking if they can establish a connection to ports 45461 and 45462, which the software uses.

In addition, the verification process in the older script is different from the ActiveX detection, which was only for the Internet Explorer browser. In the script found in June, the websocket verification could also be performed on other browsers like Chrome and Firefox. This shows that the attacker has expanded his target base, and is interested in the software itself and not just their ActiveX objects. Based on this change, we can expect them to start using attack vectors other than ActiveX.

Figure 3

Figure 3. Script (Deobfuscated) for detecting the voice conversion software ActiveX object and local websocket availability

Figure 4

Figure 4. The voice conversion software (WSActiveBridge.exe) is listening on port 45461 and 45462

Reconnaissance is the stage where attackers collect information from potential targets to help them determine what tactics will work. These new developments from the Andariel group give us an idea of their plans, although we cannot make specific assumptions about their strategy.

To stay one step ahead of threats like this, we recommend that people use layered security protection in their environments. Trend Micro endpoint solutions such as Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security can protect users and businesses from similar threats by detecting malicious files and spammed messages as well as blocking all related malicious URLs. Trend Micro Deep Discovery™ has an email inspection layer that can protect enterprises by detecting malicious attachment and URLs.

Trend Micro™ OfficeScan™ with XGen™ endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against advanced malware.

Indicators of Compromise (IoC)


IoC Description
cfcd391eec9fca663afd9a4a152e62af665e8f695a16537e061e924a3b63c3b9 Injected Script in May 2018
e0e30eb5e5ff1e71548c4405d04ce16b94c4cb7f8c2ed9bd75933cea53533114 Injected Script in June 2018


hxxp://aega[.]co[.]kr/mall/skin/skin.php Compromised site (received information May 2018)
hxxp://www[.]peaceind[.]co[.]kr/board/icon/image.php Compromised site (received information May 2018)
hxxp://adfamc[.]com/editor/sorak/image.php Compromised site (received information June 2018)



The post New Andariel Reconnaissance Tactics Hint At Next Targets appeared first on .

This post appeared first on Trend Macro Blog
Author: Joseph C Chen (Fraud Researcher)