New Andariel Reconnaissance Tactics Uncovered
By Joseph C Chen ( words)
Published: 2018-07-16 · Archived: 2026-04-06 01:07:22 UTC
Updated June 18, 2018, 10:05 AM to add new IoC information from IssueMakersLab's July investigation. We
updated it again at 4:30 PM to add a link to IssueMakersLab's website and to add new IoC information. This
research is done in cooperation with IssueMakersLab of South Korea.
Reconnaissance plays a vital role in criminal operations, and some groups go to great lengths to investigate their
targets' systems. A recent example is the Andariel Group, a known branch of the notorious Lazarus Group.open on
a new tab Last month we tracked new scouting techniques coming from Andariel, which were used mainly against
South Korean targets.
Andariel has been quite active these past few months. According to South Korean security researchers
IssueMakersLab, the group used an ActiveX zero-day exploit for watering hole attacksopen on a new tab on South
Korean websites last May—they called this “Operation GoldenAxe”. But more recently on June 21, we noticed
that Andariel injected their script into four other compromised South Korean websites for reconnaissance
purposes.
We found that the code of the new injected script is similar to the sample Andariel previously used in Mayopen on
a new tab. However, the new script was trying to collect different ActiveX object information and targeted objects
that it wasn’t attacking before.
In the earlier case, the group collected targeted ActiveX objects on users’ Internet Explorer browser before they
used the zero-day exploit. This was possibly part of their reconnaissance strategy, to find the right targets for their
exploit. Based on this, we believe it's likely that the new targeted ActiveX objects we found could be their next
targets for a watering hole exploit attack. To help prevent any damage, we decided to publish our findings before
the group deploys the attack.
https://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html
Page 1 of 6

Figure 1. Watering hole reconnaissance flow
Analysis of the Andariel techniques
On June 21, we found that the website of a Korean non-profit organization was compromised with an injected
script that collected visitors’ information. We also found the same script on three South Korean local government
labor union websites. This reconnaissance lasted until 27 June. We already notified the websites about the
compromise.
We believe that the injected script came from the Andariel group since the code has similar obfuscation and
structure to the sample we previously found from them. The script was used to collect information from visitors’
browser: browser type, system language, Flash Player version, Silverlight version, and multiple ActiveX objects.
https://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html
Page 2 of 6

The original script is from the PluginDetect Libraryopen on a new tab, and it was also used by exploit kitsopen on
a new tab to verify victims before an attack. The verification process included sending collected information to
another compromised website that hosted their PHP program and was designed to receive the information.
Figure 2. Compromised website injected with malicious script that collects information
Our colleagues from the IssueMakersLabopen on a new tab team shared insights and information about the
Andariel group, including that they attacked ActiveX vulnerabilities as far back as 2007. The team monitoring
Andariel found that the cybercriminal group injected a malicious script on a South Korean think tank website for
reconnaissanceopen on a new tab in January 2017 and then switched to inject an ActiveX zero-day exploit in mid-April. IssueMakersLab also listed the ActiveX objectsopen on a new tab that the Andariel group attacked.
During analysis, we noticed that the new injected script was trying to detect two additional ActiveX objects that
were not on the previous list. One is “DSDOWNCTRL.DSDownCtrlCtrl.1”, which is related to a DRM (Digital
Rights Management) software from a South Korean Document Protection Security vendor. Another is
“WSACTIVEBRIDGEAX.WSActiveBridgeAXCtrl.1”, which is related to a South Korea-based voice conversion
software company. Many local governments and public institutions use these software.
We made a table to compare the information that the script samples collected in the previous case and this more
recent case.
 
Collected Information from Old
Script Sample (May 2018)
 
Collected Information from New
Script Sample (June 2018)
Parameter Meaning Parameter Meaning
w Website name w Website name
r <?=$referer?> value r <?=$referer?> value
o OS version o OS version
lv HTTP Accept-Language lv HTTP Accept-Language
https://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html
Page 3 of 6

bt Browser Information bt Browser Information
bv Browser Information bv Browser Information
bdv Browser Information bdv Browser Information
fv Flash Version fv Flash Version
silv Silverlight Version silv Silverlight Version
ez
EasyPayPlugin ActiveX
Availability
ez EasyPayPlugin ActiveX Availability
ac
ACUBEFILECTRL ActiveX
Availability*
- -
- - mg MagicLoaderX ActiveX Availability
- - nv NVersionMan ActiveX Availability
si
SIClientAccess ActiveX
Availability
si SIClientAccess ActiveX Availability
du
DUZONERPSSO ActiveX
Availability
du DUZONERPSSO ActiveX Availability
iw
INIWALLET61 ActiveX
Availability
- -
 -  - ad admctrl ActiveX Availability
 -  - dw DSDownCtril ActiveX Availability**
 -  - ab
WSActiveBridgeAX ActiveX
Availability***
 -  - ve
Voice Conversion Software
“WSActiveBridge” WebSocket
Availability****
* detection of the previous ActiveX zero-day object
** detection of the ActiveX object related to DRM software (one of the new targets)
*** detection of the ActiveX object related to voice conversion software (one of the new targets)
**** detection of the WebSocket related to voice conversion software (one of the new targets)
Table 1. Comparison of the information collected by the previous and new script
https://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html
Page 4 of 6

Besides the ActiveX objects, we noticed that the script added new code to connect websocket to localhost. The
voice conversion software has websocket service listening on the local host so the injected script can detect the
software by checking if they can establish a connection to ports 45461 and 45462, which the software uses.
In addition, the verification process in the older script is different from the ActiveX detection, which was only for
the Internet Explorer browser. In the script found in June, the websocket verification could also be performed on
other browsers like Chrome and Firefox. This shows that the attacker has expanded his target base, and is
interested in the software itself and not just their ActiveX objects. Based on this change, we can expect them to
start using attack vectors other than ActiveX.
Figure 3. Script (Deobfuscated) for detecting the voice conversion software ActiveX object and local websocket
availability
Figure 4. The voice conversion software (WSActiveBridge.exe) is listening on port 45461 and 45462
Reconnaissance is the stage where attackers collect information from potential targets to help them determine
what tactics will work. These new developments from the Andariel group give us an idea of their plans, although
we cannot make specific assumptions about their strategy.
To stay one step ahead of threats like this, we recommend that people use layered security protection in their
environments. Trend Micro endpoint solutions such as Trend Micro™ Smart Protection Suitesproducts and
Worry-Free™ Business Securityworry free services suites can protect users and businesses from similar threats by
detecting malicious files and spammed messages as well as blocking all related malicious URLs. Trend Micro
https://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html
Page 5 of 6

Deep Discovery™products has an email inspection layer that can protect enterprises by detecting malicious
attachment and URLs.
Trend Micro™ OfficeScan™products with XGen™ endpoint security infuses high-fidelity machine learning with
other detection technologies and global threat intelligence for comprehensive protection against advanced
malware.
Indicators of Compromise (IoC)
IoCs Description
cfcd391eec9fca663afd9a4a152e62af665e8f695a16537e061e924a3b63c3b9 Injected Script in May 2018
e0e30eb5e5ff1e71548c4405d04ce16b94c4cb7f8c2ed9bd75933cea53533114 Injected Script in June 2018
67a1312768c4ca3379181c0fcc1143460efcb4bff7a4774c9c775043964c0878
Injected Script in 17 July
2018
hxxp://aega[.]co[.]kr/mall/skin/skin.php
Compromised site (received
information May 2018)
hxxp://www[.]peaceind[.]co[.]kr/board/icon/image.php
Compromised site (received
information May 2018)
hxxp://alphap1[.]com/hdd/images/image.php
Compromised site (received
information May 2018)
hxxp://adfamc[.]com/editor/sorak/image.php
Compromised site (received
information June 2018)
hxxp://adfamc[.[com/editor/sorak/skin.php
Compromised site (received
information 17 July 2018)
Source: https://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html
https://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html
Page 6 of 6