Today > | 2 Medium vulnerabilities   -   You can now download lists of IOCs here!

Recent Keylogger Attributed to North Korean Group Andariel

Nov. 4, 2024, 9:32 p.m.

Description

A new keylogger, attributed to the North Korean group Andariel (APT45), has been linked to targeted attacks against U.S. organizations. The malware captures keystrokes and mouse activity, storing data in an encrypted archive. It employs anti-analysis techniques like code obfuscation through junk code. The keylogger sets global Windows hooks to intercept keystrokes and mouse events, modifies registry for persistence, and creates a password-protected archive in the temp folder. It uses SetWindowsHookEx API for keyboard and mouse event monitoring, and GetMessageW API for message queue handling. The malware also steals clipboard data and logs special key presses. Hybrid Analysis effectively identified the keylogger's capabilities, persistence mechanism, and log file creation, providing valuable insights for threat analysis.

Date

Published: Nov. 4, 2024, 5:12 p.m.

Created: Nov. 4, 2024, 5:12 p.m.

Modified: Nov. 4, 2024, 9:32 p.m.

Indicators

d71f478b1d5b8e489f5daafda99ad203de356095278c216a421694517826b79a

Attack Patterns

Andariel keylogger

Andariel

T1573.001

T1059.003

T1115

T1547.001

T1012

T1497

T1056.001

T1082

T1057

T1083

T1055

T1140

T1027

T1112

Additional Informations

United States of America