Recent Keylogger Attributed to North Korean Group Andariel

Nov. 4, 2024, 9:32 p.m.

Description

A new keylogger, attributed to the North Korean group Andariel (APT45), has been linked to targeted attacks against U.S. organizations. The malware captures keystrokes and mouse activity, storing data in an encrypted archive. It employs anti-analysis techniques like code obfuscation through junk code. The keylogger sets global Windows hooks to intercept keystrokes and mouse events, modifies registry for persistence, and creates a password-protected archive in the temp folder. It uses SetWindowsHookEx API for keyboard and mouse event monitoring, and GetMessageW API for message queue handling. The malware also steals clipboard data and logs special key presses. Hybrid Analysis effectively identified the keylogger's capabilities, persistence mechanism, and log file creation, providing valuable insights for threat analysis.

Date

  • Created: Nov. 4, 2024, 5:12 p.m.
  • Published: Nov. 4, 2024, 5:12 p.m.
  • Modified: Nov. 4, 2024, 9:32 p.m.

Indicators

  • d71f478b1d5b8e489f5daafda99ad203de356095278c216a421694517826b79a

Attack Patterns

Additional Informations

  • United States of America