Malware

Distribution of Malware Exploiting Vulnerable Innorix: Andariel

  • Feb 15 2023
Distribution of Malware Exploiting Vulnerable Innorix: Andariel

ASEC (AhnLab Security Emergency response Center) analysis team has discovered the distribution of malware targeting users with vulnerable versions of Innorix Agent. The collected malware is a backdoor that attempts to connect to a C&C server.

Figure 1. Vulnerability security update notice from Korea Internet & Security Agency[1]

The exploited Innorix Agent is a file transfer solution client. Details about the vulnerability were posted by the Korea Internet & Security Agency (KISA)[1] where the INNORIX Agent versions that required the security updates were identified as version 9.2.18.450 and an earlier version, 9.2.18.418. 

Figure 2. Detection log from ASD infrastructure

The detected backdoor attempts to connect to a C&C server. Major features include collecting and forwarding user PC information, as well as capturing screenshots, file creation, and file execution.

Figure 3. Detection report from ASD infrastructure

The discovered backdoor had two appearances. It was confirmed to have been developed with C/C++ when it was initially found while the recently detected sample was created with .NET. There are no differences in features between the two forms. Some detection reports show that it attempted to conceal itself by using the name AhnLab when registering itself to the task scheduler.

Figure 4. Encoding and decoding routines

This backdoor-classified malware uses the routine shown in Figure 4 when receiving and using data, and the same routine is used similarly when sending data. Based on AhnLab’s diagnosis, encrypting data through the encoding and decoding routine and bypassing the packet-level monitoring are features that can be seen as characteristics of Andardoor. The key value is 74615104773254458995125212023273 and is the same as the XOR key value in the CISA report [2] posted in 2016.

Companies and regular users are advised to be particularly cautious as this malware has recently been distributed in the form of a software vulnerability. Software still in vulnerable versions must be managed so that they are only used after being updated.

[File Detection]

  • Backdoor/Win.Andardoor.R558252
  • Backdoor/Win.Andardoor.C5381120
  • Backdoor/Win.Andardoor.C5382662
  • Backdoor/Win.Andardoor.C5382103
  • Backdoor/Win.Andardoor.C5382101

 

[References]

[1] Security Vulnerability Information Portal (krcert.or.kr)

[2] CISA Analysis Report 

 

MD5

0211a3160cc5871cbcd4e5514449162b
0a09b7f2317b3d5f057180be6b6d0755
1ffccc23fef2964e9b1747098c19d956
9112efb49cae021abebd3e9a564e6ca4
ac0ada011f1544aa3a1cf27a26f2e288
FQDN

krcert[.]or[.]kr
IP

109[.]248[.]150[.]179
139[.]177[.]190[.]243
27[.]102[.]107[.]224
27[.]102[.]113[.]88
4[.]246[.]144[.]112
Previous Post

Next Post