Recent Keylogger Attributed to North Korean Group Andariel

Nov. 4, 2024, 9:32 p.m.

Description

A new keylogger, attributed to the North Korean group Andariel (APT45), has been linked to targeted attacks against U.S. organizations. The malware captures keystrokes and mouse activity, storing data in an encrypted archive. It employs anti-analysis techniques like code obfuscation through junk code. The keylogger sets global Windows hooks to intercept keystrokes and mouse events, modifies registry for persistence, and creates a password-protected archive in the temp folder. It uses SetWindowsHookEx API for keyboard and mouse event monitoring, and GetMessageW API for message queue handling. The malware also steals clipboard data and logs special key presses. Hybrid Analysis effectively identified the keylogger's capabilities, persistence mechanism, and log file creation, providing valuable insights for threat analysis.

External References

https://hybrid-analysis.blogspot.com/2024/11/recent-keylogger-attributed-to-north.html
https://otx.alienvault.com/pulse/67290072653a1604cc00e6c2
Tags
persistence
anti-analysis
keylogger
apt45
2024-11-04
andariel keylogger
hook procedures
clipboard theft

Date

  • Created: Nov. 4, 2024, 5:12 p.m.
  • Published: Nov. 4, 2024, 5:12 p.m.
  • Modified: Nov. 4, 2024, 9:32 p.m.

Indicators

  • d71f478b1d5b8e489f5daafda99ad203de356095278c216a421694517826b79a
Download all indicators here!

Attack Patterns

  • Andariel keylogger
  • Andariel

Additional Informations

  • United States of America