Analysis of Attack Cases Against Korean Solutions by the Andariel Group (SmallTiger)
Dec. 31, 2024, 4:57 p.m.
Tags
External References
Description
The Andariel group has been targeting various South Korean software solutions, particularly asset management and document management systems. Recent attacks involve the installation of SmallTiger malware, often through exploiting vulnerabilities in outdated software versions. In asset management solution attacks, the group uses ModeLoader and SmallTiger, sometimes replacing update programs to distribute malware. They also employ keyloggers and enable RDP access for future intrusions. A new attack vector involves a Korean document management solution, where outdated Apache Tomcat servers are exploited. The attackers use system information queries, Advanced Port Scanner, and attempt to install web shells. Corporate security managers are advised to strengthen monitoring of centralized management solutions, apply security patches, and keep systems updated to prevent malware infections.
Date
Published: Dec. 31, 2024, 4:26 p.m.
Created: Dec. 31, 2024, 4:26 p.m.
Modified: Dec. 31, 2024, 4:57 p.m.
Indicators
303243e4a8bf71cbb208d608277ab25241ecbd1a0b8930a68c27ab03b0d4d8ae
d0c1662ce239e4d288048c0e3324ec52962f6ddda77da0cb7af9c1d9c2f1e2eb
45.61.148.153
20.20.100.32
http://45.61.148.153/pizza.xn--jsp-to0a
Attack Patterns
SmallTiger
ModeLoader
Andariel Group
T1542.003
T1505.003
T1021.001
T1136
T1059.001
T1056.001
T1070.004
T1016
T1082
T1105
T1033
T1049
T1190
T1133
T1078
Additional Informations
Technology