The Andariel group has been targeting various South Korean software solutions, particularly asset management and document management systems. Recent attacks involve the installation of SmallTiger malware, often through exploiting vulnerabilities in outdated software versions. In asset management solution attacks, the group uses ModeLoader and SmallTiger, sometimes replacing update programs to distribute malware. They also employ keyloggers and enable RDP access for future intrusions. A new attack vector involves a Korean document management solution, where outdated Apache Tomcat servers are exploited. The attackers use system information queries, Advanced Port Scanner, and attempt to install web shells. Corporate security managers are advised to strengthen monitoring of centralized management solutions, apply security patches, and keep systems updated to prevent malware infections. Author: AlienVault
Related Tags:
document management
SmallTiger
T1542.003
ModeLoader
south korea
T1070.004
T1056.001
rdp
web shell
Associated Indicators:
D0C1662CE239E4D288048C0E3324EC52962F6DDDA77DA0CB7AF9C1D9C2F1E2EB
0BA35B0795F3AD125D4BA253C8593762028DBA09
3477A173E2C1005A81D042802AB0F22CC12A4D55
3525A8A16CE8988885D435133B3E85D8
B500A8FFD4907A1DFDA985683F1DE1DF
45EF2E621F4C530437E186914C7A9C62
6A58B52B184715583CDA792B56A0A1ED
http://45.61.148.153/pizza.xn--jsp-to0a
45.61.148.153