|Col1|Home|Categories|Col4|
|---|---|---|---|


Search:

### Home Categories

[Home  »  Bad Sites  »  New Andariel Reconnaissance Tactics Hint At Next Targets](https://blog.trendmicro.com/trendlabs-security-intelligence/)
### Featured Stories

# New Andariel Reconnaissance Tactics Hint At Next Targets systemd Vulnerability Leads to Denial of Service

on Linux

**[Posted on: July 16, 2018](https://blog.trendmicro.com/trendlabs-security-intelligence/2018/07/)** at 8:10 am **[Posted in: Bad Sites](https://blog.trendmicro.com/trendlabs-security-intelligence/category/bad-websites/)** **[Author: Joseph C Chen (Fraud Researcher)](https://blog.trendmicro.com/trendlabs-security-intelligence/author/josephcchen/)**

qkG Filecoder: Self-Replicating, Document-

**_[In cooperation with IssueMakersLab of South Korea](http://www.issuemakerslab.com/)_** Encrypting Ransomware

Reconnaissance plays a vital role in criminal operations, and

Mitigating CVE-2017-5689, an Intel Management

some groups go to great lengths to investigate their targets’ Engine Vulnerability

systems. A recent example is the Andariel Group, a known

[A Closer Look at North Korea’s Internet](http://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-north-koreas-internet/)

[branch of the notorious Lazarus Group. Last month we tracked](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/a-look-into-the-lazarus-groups-operations)
new scouting techniques coming from Andariel, which were

[From Cybercrime to Cyberpropaganda](http://blog.trendmicro.com/trendlabs-security-intelligence/from-cybercrime-to-cyberpropaganda/)

used mainly against South Korean targets.

Andariel has been quite active these past few months.

### Security Predictions for 2018

According to South Korean security researchers

IssueMakersLab, the group used an ActiveX zero-day exploit for

watering hole attacks on South Korean websites last May—they called this “Operation GoldenAxe”.
But more recently on June 21, we noticed that Andariel injected their script into four other

compromised South Korean websites for reconnaissance purposes.

We found that the code of the new injected script is similar to the sample Andariel previously used


-----

strategy, to find the right targets for their exploit. Based on this, we believe it’s likely that the new users and enterprises to catch up with

their security.

targeted ActiveX objects we found could be their next targets for a watering hole exploit attack. To

[Read our security predictions for 2018.](https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2018)

help prevent any damage, we decided to publish our findings before the group deploys the attack.

### Business Process Compromise

Attackers are starting to invest in long-
term operations that target specific
processes enterprises rely on. They
scout for vulnerable practices,
susceptible systems and operational
loopholes that they can leverage or
abuse. To learn more, read our Security 101:
Business Process Compromise.

### Recent Posts

Blackgear Cyberespionage Campaign
[Resurfaces, Abuses Social Media for C&C](https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-cyberespionage-campaign-resurfaces-abuses-social-media-for-cc-communication/)
Communication

New Andariel Reconnaissance Tactics Hint At Next
Targets

VPNFilter-affected Devices Still Riddled with 19
Vulnerabilities

_Figure 1. Watering hole reconnaissance flow_

July Patch Tuesday: Large Adobe Security Update
and Patches for 18 Critical Microsoft Vulnerabilities

**_Analysis of the Andariel techniques_**


-----

We believe that the injected script came from the Andariel group since the code has similar

Using Insights From DefPloreX-NG to Thwart Web

obfuscation and structure to the sample we previously found from them. The script was used to Defacement Attacks
collect information from visitors’ browser: browser type, system language, Flash Player version,

North American Malware Trends: Taking a

Silverlight version, and multiple ActiveX objects.

Proactive Approach to Modern Threats

[The original script is from the PluginDetect Library, and it was also used by exploit kits to verify](http://www.pinlady.net/PluginDetect/)

VPNFilter-affected Devices Still Riddled with 19

victims before an attack. The verification process included sending collected information to Vulnerabilities
another compromised website that hosted their PHP program and was designed to receive the

Identifying Top Vulnerabilities in Networks: Old

information.

[Vulnerabilities, IoT Botnets, Wireless Connection](https://blog.trendmicro.com/trendlabs-security-intelligence/identifying-top-vulnerabilities-in-networks-old-vulnerabilities-iot-botnets-wireless-connection-exploits/)
Exploits

Cryptocurrency-Mining Bot Targets Devices With
Running SSH Service via Potential Scam Site

### Stay Updated

Email Subscription

Your email here

Subscribe

_Figure 2. Compromised website injected with malicious script that collects information_

[Our colleagues from the IssueMakersLab team shared insights and information about the Andariel](https://twitter.com/issuemakerslab)
group, including that they attacked ActiveX vulnerabilities as far back as 2007. The team
monitoring Andariel found that the cybercriminal group injected a malicious script on a South
Korean think tank website for reconnaissance in January 2017 and then switched to inject an

[ActiveX zero-day exploit in mid-April. IssueMakersLab also listed the ActiveX objects that the](https://twitter.com/issuemakerslab/status/1001379628362039296)
Andariel group attacked.

During analysis, we noticed that the new injected script was trying to detect two additional ActiveX
objects that were not on the previous list. One is “DSDOWNCTRL.DSDownCtrlCtrl.1”, which is

related to a DRM (Digital Rights Management) software from a South Korean Document Protection
Security vendor Another is “WSACTIVEBRIDGEAX WSActiveBridgeAXCtrl 1” which is related to a


-----

|Col1|Collected Information from Old Script Sample (May 2018)|Col3|Collected Information from New Script Sample (June 2018)|
|---|---|---|---|
|Parameter|Meaning|Parameter|Meaning|
|w|Website name|w|Website name|
|r|<?=$referer?> value|r|<?=$referer?> value|
|o|OS version|o|OS version|
|lv|HTTP Accept-Language|lv|HTTP Accept-Language|
|bt|Browser Information|bt|Browser Information|
|bv|Browser Information|bv|Browser Information|
|bdv|Browser Information|bdv|Browser Information|
|fv|Flash Version|fv|Flash Version|
|silv|Silverlight Version|silv|Silverlight Version|
|ez|EasyPayPlugin ActiveX Availability|ez|EasyPayPlugin ActiveX Availability|
|ac|ACUBEFILECTRL ActiveX Availability*|–|–|


and this more recent case.

**Collected Information from** **Collected Information from**

**Old Script Sample (May 2018)** **New Script Sample (June**

**2018)**

**Parameter** **Meaning** **Parameter** **Meaning**

w Website name w Website name

r <?=$referer?> value r <?=$referer?> value

o OS version o OS version

lv HTTP Accept-Language lv HTTP Accept-Language

bt Browser Information bt Browser Information

bv Browser Information bv Browser Information

bdv Browser Information bdv Browser Information

fv Flash Version fv Flash Version

silv Silverlight Version silv Silverlight Version

ez EasyPayPlugin ActiveX ez EasyPayPlugin ActiveX

Availability Availability

ac ACUBEFILECTRL ActiveX – –

Availability*

– – mg MagicLoaderX ActiveX


-----

|si|SIClientAccess ActiveX Availability|si|SIClientAccess ActiveX Availability|
|---|---|---|---|
|du|DUZONERPSSO ActiveX Availability|du|DUZONERPSSO ActiveX Availability|
|iw|INIWALLET61 ActiveX Availability|–|–|
|–|–|ad|admctrl ActiveX Availability|
|–|–|dw|DSDownCtril ActiveX Availability**|
|–|–|ab|WSActiveBridgeAX ActiveX Availability***|
|–|–|ve|Voice Conversion Software “WSActiveBridge” WebSocket Availability****|


si SIClientAccess ActiveX si SIClientAccess ActiveX

Availability Availability

du DUZONERPSSO ActiveX du DUZONERPSSO ActiveX

Availability Availability

iw INIWALLET61 ActiveX – –

Availability

– – ad admctrl ActiveX Availability

– – dw DSDownCtril ActiveX

Availability**

– – ab WSActiveBridgeAX ActiveX

Availability***

– – ve Voice Conversion Software
“WSActiveBridge” WebSocket
Availability****

     - detection of the previous ActiveX zero-day object
** detection of the ActiveX object related to DRM software (one of the new targets)
*** detection of the ActiveX object related to voice conversion software (one of the new targets)
**** detection of the WebSocket related to voice conversion software (one of the new targets)

_Table 1. Comparison of the information collected by the previous and new script_

Besides the ActiveX objects, we noticed that the script added new code to connect websocket to
_localhost. The voice conversion software has websocket service listening on the local host so the_
injected script can detect the software by checking if they can establish a connection to ports
45461 and 45462, which the software uses.

In addition, the verification process in the older script is different from the ActiveX detection, which


-----

ActiveX.

_Figure 3. Script (Deobfuscated) for detecting the voice conversion software ActiveX object and_

_local websocket availability_

_Figure 4. The voice conversion software (WSActiveBridge.exe) is listening on port 45461 and_

_45462_

Reconnaissance is the stage where attackers collect information from potential targets to help
them determine what tactics will work. These new developments from the Andariel group give us
an idea of their plans, although we cannot make specific assumptions about their strategy.

To stay one step ahead of threats like this, we recommend that people use layered security

protection in their environments. Trend Micro endpoint solutions such as Trend Micro™ Smart
[Protection Suites and Worry-Free™ Business Security can protect users and businesses from](https://www.trendmicro.com/us/small-business/product-security/)
similar threats by detecting malicious files and spammed messages as well as blocking all related


-----

|Indicators of Compromise (IoC)|Col2|
|---|---|
|IoCs|Description|
|cfcd391eec9fca663afd9a4a152e62af665e8f695 a16537e061e924a3b63c3b9|Injected Script in May 2018|
|e0e30eb5e5ff1e71548c4405d04ce16b94c4cb7f 8c2ed9bd75933cea53533114|Injected Script in June 2018|
|67a1312768c4ca3379181c0fcc1143460efcb4bff 7a4774c9c775043964c0878|Injected Script in 17 July 2018|
|hxxp://aega[.]co[.]kr/mall/skin/skin.php|Compromised site (received information May 2018)|
|hxxp://www[.]peaceind[.]co[.]kr/board/icon/image. php|Compromised site (received information May 2018)|
|hxxp://adfamc[.]com/editor/sorak/image.php|Compromised site (received information June 2018)|
|hxxp://adfamc[.]com/editor/sorak/skin.php|Compromised site (received information 17 July 2018)|


against advanced malware.

**_Indicators of Compromise (IoC)_**

**IoCs** **Description**

cfcd391eec9fca663afd9a4a152e62af665e8f695 Injected Script in May 2018

a16537e061e924a3b63c3b9

e0e30eb5e5ff1e71548c4405d04ce16b94c4cb7f Injected Script in June 2018

8c2ed9bd75933cea53533114

67a1312768c4ca3379181c0fcc1143460efcb4bff Injected Script in 17 July 2018

7a4774c9c775043964c0878

hxxp://aega[.]co[.]kr/mall/skin/skin.php Compromised site (received information

May 2018)

hxxp://www[.]peaceind[.]co[.]kr/board/icon/image. Compromised site (received information

php May 2018)

hxxp://adfamc[.]com/editor/sorak/image.php Compromised site (received information

June 2018)

hxxp://adfamc[.]com/editor/sorak/skin.php Compromised site (received information 17

July 2018)

**_Updated June 18 2018 10:05AM_**

Added new IoC information from IssueMakersLab’s July investigation


-----

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:

[ENTERPRISE](http://www.trendmicro.com/us/security-intelligence/enterprise-ransomware/index.html) » [SMALL BUSINESS](http://www.trendmicro.com/us/security-intelligence/small-business-ransomware/index.html) » [HOME](http://www.trendmicro.com/us/home/consumer-ransomware/index.html) »

Tags: [Targeted Attack](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/targeted-attack/)


-----

[HOME AND HOME OFFICE |](http://www.trendmicro.com/us/home/index.html) [FOR BUSINESS](http://www.trendmicro.com/us/business/index.html) | [SECURITY INTELLIGENCE |](http://www.trendmicro.com/us/security-intelligence/index.html) [ABOUT TREND MICRO](http://www.trendmicro.com/us/about-us/index.html)

[Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣](http://www.trendmicro.com.au/au/home/index.html) [Latin America Region (LAR): Brasil, México](http://br.trendmicro.com/br/home/index.html) [North America Region (NABU): United States, Canada](http://www.trendmicro.com/us/index.html)

[Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schw eiz, Italia, Россия, España, United Kingdom / Ireland](http://www.trendmicro.fr/)

[Privacy Statement](http://www.trendmicro.com/us/about-us/legal-policies/privacy-statement/index.html) [Legal Policies](http://www.trendmicro.com/us/about-us/legal-policies/index.html) Copyright © 2018 Trend Micro Incorporated. All rights reserved.


-----