Author: Kay Kwak (Kyoung-Ju Kwak)
This report was originally published in 2017 when I worked for FSI (Financial Security Institute) in South Korea. Despite the passage of time, there was a constant request for an English version, so I translated this report with my S2W LAB colleagues (Hyunmin Suh, hypen, JAEKI KIM) and the oldest son (Hyojun Suh) of the CEO.
Frankly, I also found the English version of this report which was done by Group-IB in 2018. They obviously gave it to me at that time but I don’t clearly remember that how I could get this.
Anyway, special thanks to Group-IB.
It has been a long time since this report was published, but Andariel Group is still using some of the patterns presented in this report. We observed the activity of Andariel this year. It seems they resumed the attack.
I will continuously post more about Andariel’s features which I found after this report was published such as Charon RAT and some vulnerabilities Andariel used in 2021.
We hope this English version of Andariel report helps many people.
Andariel-related content was also presented at several conferences such as Blackhat Asia, Blackhat Europe, and Kaspersky SAS.
Campaign Rifle: Andariel, The Maiden of Anguish
https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/, Seongsu Park, Kaspersky GReAT
Campaign Rifle: Andariel, The Maiden of Anguish was originally published in S2W LAB BLOG on Medium, where people are continuing the conversation by highlighting and responding to this story.
Article Link: Campaign Rifle: Andariel, The Maiden of Anguish | by S2W LAB | S2W LAB BLOG | Jul, 2021 | Medium