Recent Keylogger Attributed to North Korean Group Andariel

Tags

External References

• https://hybrid-analysis.blogspot.com/
• https://otx.alienvault.com/

Description

A new keylogger, attributed to the North Korean group Andariel (APT45), has been linked to targeted attacks against U.S. organizations. The malware captures keystrokes and mouse activity, storing data in an encrypted archive. It employs anti-analysis techniques like code obfuscation through junk code. The keylogger sets global Windows hooks to intercept keystrokes and mouse events, modifies registry for persistence, and creates a password-protected archive in the temp folder. It uses SetWindowsHookEx API for keyboard and mouse event monitoring, and GetMessageW API for message queue handling. The malware also steals clipboard data and logs special key presses. Hybrid Analysis effectively identified the keylogger's capabilities, persistence mechanism, and log file creation, providing valuable insights for threat analysis.

Date