Andariel Group Exploits Zero-day in ActiveX

Delaware, USA ā€“ June 1, 2018 ā€“ Andariel Group is conducting the cyber-espionage campaign against South Korea. They compromise legitimate websites by exploiting several vulnerabilities in ActiveX including the new zero-day vulnerability. Attackers inject exploit code into hacked sites to infect all visitors with trojans. The zero-day vulnerability was found in Samsung SDS Acube, which is often used by South Korean companies. Samsung has already released the necessary updates, so if you use Acube, you need to install the latest updates. The Andariel group is a unit of the infamous Hidden Cobra or Lazarus group linked with the North Korean government.

Last weeks, the activity of the Lazarus group has increased significantly, a few days ago US-CERT reported two new malicious tools in the arsenal of the group: Joanap and Brambul. Joanap is a botnet malware that attacks Windows-based systems and allows attackers to steal data, download and run malicious payloads and use the infected system as a proxy for further operations. Brambul malware is an SMB-worm that spreads via SMB protocol brute forcing other hosts in the compromised network using a list of known passwords. The worm collects system information and credentials and sends it to the attackers allowing them to gain unauthorized access to infected hosts.

To detect the malicious activity of Lazarus group tools, you can use Sigma rule “HIDDEN COBRA RAT/Worm” in Threat Detection Marketplace. This rule is based on indicators of compromise from US-CERT.