Campaign Rifle: Andariel, The Maiden of Anguish
Author: Kay Kwak (Kyoung-Ju Kwak)
Currently, the report is not available. FSI (Financial Security Institute) would like to add more things to it and will be published on FSI’s website officially. The report will be much prettier than before. Coming soon! :)
This report was originally published in 2017 when I worked for FSI (Financial Security Institute) in South Korea and the copyright of this report belongs to FSI. Despite the passage of time, there was a constant request for an English version, so I translated this report with my S2W LAB colleagues (Hyunmin Suh, hypen, JAEKI KIM), the oldest son (Hyojun Suh) of the CEO and FSI.
This English version report will be published on FSI (Financial Security Institute) website soon. We (FSI and I) are working on it together.
Frankly, I also found the English version of this report which was done by Group-IB in 2018. They obviously gave it to me at that time but I don’t clearly remember that how I could get this.
Anyway, special thanks to Group-IB.
It has been a long time since this report was published, but Andariel Group is still using some of the patterns presented in this report. We observed the activity of Andariel this year. It seems they resumed the attack.
I will continuously post more about Andariel’s features which I found after this report was published such as Charon RAT and some vulnerabilities Andariel used in 2021.
We hope this English version of Andariel report helps many people.
Report Download (redirect to fsec.or.kr)
Currently, the report is not available. FSI would like to add more things to it and will be published on FSI’s website. Coming soon!
Andariel evolves to target South Korea with ransomware
In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection…