The North Korea-connected threat actor recognised as Andariel has been observed utilizing a new Golang-based mostly backdoor called Dora RAT in its attacks concentrating on educational institutes, manufacturing corporations, and construction corporations in South Korea.
“Keylogger, Infostealer, and proxy resources on best of the backdoor have been used for the assaults,” the AhnLab Security Intelligence Heart (ASEC) claimed in a report published final 7 days. “The danger actor possibly applied these malware strains to management and steal details from the infected methods.”
The attacks are characterised by the use of a susceptible Apache Tomcat server to distribute the malware, the South Korean cybersecurity company extra, noting the method in concern ran the 2013 version of Apache Tomcat, making it prone to many vulnerabilities.
Andariel, also recognized by the name Nicket Hyatt, Onyx Sleet, and Silent Chollima, is an superior persistent threat (APT) group that operates on behalf of North Korea’s strategic pursuits considering the fact that at least 2008.
A sub-cluster in the prolific Lazarus Group, the adversary has a monitor document of leveraging spear-phishing, watering gap assaults, and identified security vulnerabilities in application to attain initial access and distribute malware to qualified networks.
ASEC did not elaborate on the attack chain utilised for malware deployment, but it pointed out the use of a variant of a recognized malware referred to as Nestdoor, which comes with abilities to obtain and execute instructions from a remote server, upload/obtain information, start a reverse shell, capture clipboard knowledge and keystrokes, and act as a proxy.
Also utilized in the attacks is a beforehand undocumented backdoor called Dora RAT that has been explained as a “uncomplicated malware strain” with guidance for reverse shell and file obtain/add capabilities.
“The attacker has also signed and distributed [the Dora RAT] malware using a valid certification,” ASEC pointed out. “Some of the Dora RAT strains utilised for the attack were verified to be signed with a legitimate certificate from a United Kingdom application developer.”
Some of the other malware strains shipped in the assaults encompass a keylogger that’s installed through a lean Nestdoor variant as nicely as a devoted info stealer and a SOCKS5 proxy that displays overlaps with a identical proxy device utilised by the Lazarus Group in the 2021 ThreatNeedle marketing campaign.
“The Andariel group is 1 of the threat teams that are hugely active in Korea, along with the Kimsuky and Lazarus groups,” ASEC claimed. “The team initially released attacks to acquire info related to national security, but now they have also been attacking for economical acquire.”
Located this report exciting? Follow us on Twitter and LinkedIn to browse extra unique content we publish.
Some parts of this article are sourced from:
thehackernews.com