A North Korean cyber-espionage group has exploited an ActiveX zero-day to infect South Korean targets with malware or steal data from compromised systems, local media and security researchers have reported.
The perpetrators of these attacks are known as the Andariel Group. According to a report authored by South Korean cyber-security firm AhnLab, the Andariel Group is a smaller unit of the larger and more well-known Lazarus Group —North Korea's cyber-espionage apparatus, believed to be a unit of its military.
Attacks started last month
The recent wave of attacks has started last month. Local media reports that Andariel hackers deployed at least nine separate ActiveX vulnerabilities for their attacks, including a new zero-day.
The preferred method of action is via watering-hole attacks —hacking legitimate sites, hosting exploit code, and infecting all incoming site visitors until a high-value target is compromised.
Andariel attackers usually deploy a backdoor trojan on infected hosts, which they use to search and gather information.
"The zero-day vulnerability has been found in these attacks," a government official from the Korea Internet & Security Agency (KISA)
told local media [translated quote].
North Korean hackers, and particularly the Andariel Group, have a history of using ActiveX vulnerabilities, according to both
local media and Simon Choi, a South Korean security researcher and founder of the Cyber Warfare Intelligence Center.
