New Keylogger Targeting U.S. Organizations Linked to North Korean APT Group Andariel
A recent analysis from Hybrid Analysis, led by security researcher Vlad Pasca, reveals a newly identified keylogger malware attributed to the North Korean APT group Andariel. Known for their targeted cyber-espionage and financial campaigns, Andariel (also referred to as APT45 or Silent Chollima) has deployed this keylogger in attacks against U.S. organizations, aiming to harvest sensitive information through keystroke and mouse activity logging.
The malware’s primary functionalities center on capturing and exfiltrating user inputs, with sophisticated anti-analysis techniques designed to evade detection and hinder reverse engineering. According to Pasca, “the malware sets a global Windows hook to intercept keystrokes and mouse events,” enabling Andariel to monitor user interactions.
Hybrid Analysis highlights multiple levels of functionality and persistence mechanisms that make this keylogger a potent tool in Andariel’s arsenal. Some key aspects include:
- Global Hooks for Keystroke and Mouse Monitoring: The malware installs hooks for low-level mouse and keyboard input events, using
WH_MOUSE_LL
andWH_KEYBOARD_LL
API calls to monitor inputs at the system level. This level of access enables the malware to capture every keystroke and mouse click, giving attackers a comprehensive log of user actions. - Persistence via Registry Modification: The malware modifies the Windows Registry to ensure persistence on infected devices. Pasca notes, “the malicious process modifies the ‘(Default)’ value found under the Run registry key,” enabling the keylogger to launch automatically on system startup.
- File-Based Logging and Encryption: Once the malware is active, it creates a file named “DT_0004.tmp” in the system’s temporary folder, where it logs the captured data. The file is password-protected, with the password hardcoded as “Pass@w0rd#384,” suggesting that attackers are keen to prevent easy access to the logged data by security analysts.
The keylogger demonstrates a range of obfuscation techniques aimed at complicating the malware’s analysis. According to the report, “anti-analysis technique that is used to obscure the program’s execution flow and make malware analysis more difficult.” This is achieved through the addition of junk code that serves no purpose other than to confuse reverse engineers.
Additionally, the malware uses the SetErrorMode function to suppress error messages, a common tactic to prevent alerts during execution that could indicate the presence of malicious code.
Beyond keystrokes and mouse events, the malware can steal data from the clipboard. This includes sensitive information that may not be typed directly, such as copied passwords, cryptocurrency wallet addresses, or confidential text snippets. The report details that the malware “uses the OpenClipboard and GetClipboardData methods” to extract clipboard contents whenever they are updated.
This keylogger is yet another tool in Andariel APT group’s growing malware portfolio, aimed at enhancing their cyber-espionage capabilities. The malware’s design—especially its reliance on global hooks and persistent registry modifications—demonstrates the group’s strategic intent to monitor user activities discreetly and maintain access over extended periods.