Distribution of Malware Exploiting Vulnerable Innorix: Andariel

ASEC (AhnLab Security Emergency response Center) analysis team has discovered the distribution of malware targeting users with vulnerable versions of Innorix Agent. The collected malware is a backdoor that attempts to connect to a C&C server.

Figure 1. Vulnerability security update notice from Korea Internet & Security Agency[1]

The exploited Innorix Agent is a file transfer solution client. Details about the vulnerability were posted by the Korea Internet & Security Agency (KISA)[1] where the INNORIX Agent versions that required the security updates were identified as version 9.2.18.450 and an earlier version, 9.2.18.418. 

Figure 2. Detection log from ASD infrastructure

The detected backdoor attempts to connect to a C&C server. Major features include collecting and forwarding user PC information, as well as capturing screenshots, file creation, and file execution.

Figure 3. Detection report from ASD infrastructure

The discovered backdoor had two appearances. It was confirmed to have been developed with C/C++ when it was initially found while the recently detected sample was created with .NET. There are no differences in features between the two forms. Some detection reports show that it attempted to conceal itself by using the name AhnLab when registering itself to the task scheduler.

Figure 4. Encoding and decoding routines

This backdoor-classified malware uses the routine shown in Figure 4 when receiving and using data, and the same routine is used similarly when sending data. Based on AhnLab’s diagnosis, encrypting data through the encoding and decoding routine and bypassing the packet-level monitoring are features that can be seen as characteristics of Andardoor. The key value is 74615104773254458995125212023273 and is the same as the XOR key value in the CISA report [2] posted in 2016.

Companies and regular users are advised to be particularly cautious as this malware has recently been distributed in the form of a software vulnerability. Software still in vulnerable versions must be managed so that they are only used after being updated.

[File Detection]

  • Backdoor/Win.Andardoor.R558252
  • Backdoor/Win.Andardoor.C5381120
  • Backdoor/Win.Andardoor.C5382662
  • Backdoor/Win.Andardoor.C5382103
  • Backdoor/Win.Andardoor.C5382101

[IOC]

  • bcac28919fa33704a01d7a9e5e3ddf3f
  • 1ffccc23fef2964e9b1747098c19d956
  • 9112efb49cae021abebd3e9a564e6ca4
  • 0a09b7f2317b3d5f057180be6b6d0755
  • 0211a3160cc5871cbcd4e5514449162b
  • ac0ada011f1544aa3a1cf27a26f2e288
  • c892c60817e6399f939987bd2bf5dee0
  • 6dd579cfa0cb4a0eb79414de6fc1d147
  • 88a7c84ac7f7ed310b5ee791ec8bd6c5
  • e5410abaaac69c88db84ab3d0e9485ac
  • 4.246.144.112:443
  • 139.177.190.243:443
  • 27.102.107.224:5443
  • 27.102.107.234:8443
  • 27.102.113.88:5443
  • 27.102.113.88:21
  • 109.248.150.179:443

[References]

[1] Security Vulnerability Information Portal (krcert.or.kr)

[2] CISA Analysis Report 

Categories:Malware Information

5 1 vote
Article Rating
Subscribe
Notify of
guest

9 Comments
Inline Feedbacks
View all comments
trackback

[…] post Distribution of Malware Exploiting Vulnerable Innorix: Andariel appeared first on ASEC […]

trackback

[…] the blog post “Distribution of Malware Exploiting Vulnerable Innorix: Andariel.” [5] The Innorix Agent program abused in distribution is a file transfer solution client program. […]

trackback

[…] Agent in the blog post “Distribution of Malware Exploiting Vulnerable Innorix: Andariel.” [5] The Innorix Agent program abused in distribution is a file transfer solution client program. […]

trackback

[…] of the attacks detected by ASEC in February 2023 is said to have involved the exploitation of security flaws in an […]

trackback

[…] of the attacks detected by ASEC in February 2023 is said to have involved the exploitation of security flaws in an […]

trackback

[…] 1. https://asec.ahnlab.com/en/48198/ 2. https://asec.ahnlab.com/en/56405/ […]

trackback

[…] degli attacchi rilevati da ASEC nel febbraio 2023 sembra aver coinvolto lo sfruttamento di vulnerabilità di sicurezza in […]

trackback

[…] The Andariel group exploited Korean asset management solutions to install malware such as AndarLoader and ModeLoader, which are the malware used in the previous cases. Starting with Innorix Agent in the past, the group has been continually exploiting Korean asset management solutions to distribute their malware during the lateral movement phase [1] [2]. […]

trackback

[…] The Andariel group exploited Korean asset management solutions to install malware such as AndarLoader and ModeLoader, which are the malware used in the previous cases. Starting with Innorix Agent in the past, the group has been continually exploiting Korean asset management solutions to distribute their malware during the lateral movement phase [1] [2]. […]