One sentence summary – The article provides an overview of the SocGholish, Chaes, and Andariel malware campaigns, highlighting their capabilities, distribution methods, targets, and potential implications, emphasizing the need for organizations and individuals to strengthen their defenses against these threats.
At a glance
- SocGholish is a JavaScript-based downloader malware used alongside the malware loader BLISTER for malicious activities.
- BLISTER is embedded within a legitimate VLC Media Player library and distributes Cobalt Strike and BitRAT payloads.
- Chaes is a malware variant that primarily targets e-commerce customers in Latin America, aiming to steal sensitive financial information.
- Chaes utilizes Windows Management Instrumentation (WMI) and is delivered through prompts to download installers for Java Runtime or antivirus solutions.
- Andariel, a North Korean threat actor, has been actively using various malicious tools in cyber attacks targeting organizations in South Korea since at least 2008.
The details
Several new developments in the cybersecurity landscape have revealed significant threats posed by different malware variants.
This article provides a comprehensive overview of the SocGholish, Chaes, and Andariel malware campaigns.
It highlights their capabilities, distribution methods, targets, and potential implications.
SocGholish
SocGholish is a JavaScript-based downloader malware utilized alongside the malware loader BLISTER for malicious activities.
The updated version of BLISTER, discovered in December 2021, incorporates a keying feature for precise targeting and evading detection in virtual machine/sandbox environments.
BLISTER, embedded within a legitimate VLC Media Player library, bypasses security software effectively.
BLISTER’s primary function is to distribute Cobalt Strike and BitRAT payloads.
Multiple campaigns have employed SocGholish and BLISTER together, including the distribution of Cobalt Strike and LockBit ransomware.
BLISTER is actively maintained and used to load various types of malware, such as clipbankers, information stealers, trojans, ransomware, and shellcode.
Chaes
Chaes, a malware variant, has undergone significant improvements, making it harder to detect using traditional defense systems.
This variant primarily targets e-commerce customers in Latin America, with a focus on Brazil, aiming to steal sensitive financial information.
“Lucifer,” the threat actor behind Chaes, breached over 800 WordPress websites to deliver the malware to users across various platforms.
Chaes utilizes Windows Management Instrumentation (WMI) in its infection chain to collect system metadata.
The latest version, Chae$ 4, features expanded services for credential theft and clipper functionalities.
The malware is typically delivered through prompts to download installers for Java Runtime or antivirus solutions.
The primary orchestrator module, ChaesCore, establishes communication with the command-and-control (C2) server to fetch additional modules.
Persistence on the host is achieved through a scheduled task, while C2 communications utilize WebSockets.
Chaes now targets cryptocurrency transfers and instant payments via Brazil’s PIX platform.
The Chronod module modifies shortcut files associated with web browsers to execute the malware instead of the actual browser, leveraging Google’s DevTools Protocol for communication.
Andariel
Andariel, a North Korean threat actor, has been actively using various malicious tools in cyber attacks targeting organizations in South Korea since at least 2008.
Andariel, a sub-cluster of the Lazarus Group, focuses on financial institutions, defense contractors, government agencies, universities, cybersecurity vendors, and energy companies.
Initial infection vectors employed by Andariel include spear-phishing, watering holes, and supply chain attacks.
Andariel utilizes a range of malware families, including Gh0st RAT, DTrack, YamaBot, NukeSped, Rifdoor, Phandoor, Andarat, Andaratm, TigerRAT, MagicRAT, EarlyRAT, and QuiteRAT.
Exploitation of security flaws in Innorix Agent has enabled Andariel to distribute backdoors such as Volgmer and Andardoor, as well as a Golang-based reverse shell called 1th Troy.
Other malware used by Andariel includes Goat RAT, delivered via Innorix Agent exploitation, and AndarLoader, installed through DurianBeacon.
While initially targeting national security information, Andariel now conducts attacks primarily for financial gains.
North Korean actors have also been implicated in campaigns targeting open-source repositories to poison the software supply chain.
These recent developments in the cybersecurity landscape highlight the growing sophistication and diverse tactics employed by threat actors.
Understanding the intricacies of the SocGholish, Chaes, and Andariel campaigns is essential for organizations and individuals to bolster their defenses and mitigate potential risks.
Article X-ray
Here are all the sources used to create this article:
A pixelated shield surrounded by three different colored viruses.
This section links each of the article’s facts back to its original source.
If you have any suspicions that false information is present in the article, you can use this section to investigate where it came from.
| thehackernews.com |
|---|
| – An updated version of the malware loader BLISTER is being used in SocGholish infection chains. – |
| The updated version includes a keying feature for precise targeting and lower exposure in VM/sandbox environments. |
| – BLISTER was first discovered in December 2021 distributing Cobalt Strike and BitRAT payloads. – SocGholish, a JavaScript-based downloader malware, is used alongside BLISTER to deliver the open-source command-and-control framework Mythic. |
| – BLISTER is embedded within a legitimate VLC Media Player library to bypass security software. – SocGholish and BLISTER have been used together in multiple campaigns, including the distribution of Cobalt Strike and LockBit ransomware. – BLISTER is actively maintained and used to load various types of malware, including clipbankers, information stealers, trojans, ransomware, and shellcode. |
| thehackernews.com |
|---|
| – A variant of the malware called Chaes has undergone major overhauls, making it harder to detect by traditional defense systems. |
| – Chaes targets e-commerce customers in Latin America, particularly Brazil, to steal sensitive financial information. |
| – |
| The threat actors behind Chaes, known as Lucifer, breached over 800 WordPress websites to deliver the malware to users of various platforms. – |
| The malware uses Windows Management Instrumentation (WMI) in its infection chain to collect system metadata. – |
| The latest version of Chaes, called Chae$ 4, includes expanded services for credential theft and clipper functionalities. – |
| The delivery mechanism of the malware remains the same, with potential victims being prompted to download an installer for Java Runtime or an antivirus solution. – |
| The primary orchestrator module, ChaesCore, establishes a communication channel with the command-and-control (C2) server to fetch additional modules. – Persistence on the host is achieved through a scheduled task, and C2 communications use WebSockets. – |
| The malware now targets cryptocurrency transfers and instant payments via Brazil’s PIX platform. – |
| The Chronod module alters shortcut files associated with web browsers to execute the malware instead of the actual browser. – |
| The malware uses Google’s DevTools Protocol to communicate with the browser and perform various actions. |
| thehackernews.com |
|---|
| – Andariel, a North Korean threat actor, has been using various malicious tools in cyber attacks against organizations in South Korea. – |
| The attacks in 2023 have shown the use of malware strains developed in the Go language. |
| – Andariel is a sub-cluster of the Lazarus Group and has been active since at least 2008. – |
| The group targets financial institutions, defense contractors, government agencies, universities, cybersecurity vendors, and energy companies. |
| – Initial infection vectors used by Andariel include spear-phishing, watering holes, and supply chain attacks. |
| – Malware families employed by Andariel include Gh0st RAT, DTrack, YamaBot, NukeSped, Rifdoor, Phandoor, Andarat, Andaratm, TigerRAT, MagicRAT, EarlyRAT, and QuiteRAT. |
| – Andariel has exploited security flaws in Innorix Agent to distribute backdoors such as Volgmer and Andardoor, as well as a Golang-based reverse shell called 1th Troy. |
| – Other malicious software used by Andariel includes Goat RAT, delivered after exploiting Innorix Agent, and AndarLoader, installed through DurianBeacon. |
| – Andariel initially targeted national security information but now carries out attacks for financial gains. |
| – North Korean actors have also been implicated in campaigns targeting open-source repositories to poison the software supply chain. |
English 
Portuguese 
Turkish 
Chinese 
German