The North Korea-linked menace actor generally known as Andariel has been noticed utilizing a brand new Golang-based backdoor known as Dora RAT in its assaults focusing on academic institutes, manufacturing corporations, and development companies in South Korea.
“Keylogger, Infostealer, and proxy tools on top of the backdoor were utilized for the attacks,” the AhnLab Safety Intelligence Heart (ASEC) mentioned in a report printed final week. “The threat actor probably used these malware strains to control and steal data from the infected systems.”
The assaults are characterised by way of a susceptible Apache Tomcat server to distribute the malware, the South Korean cybersecurity agency added, noting the system in query ran the 2013 model of Apache Tomcat, making it inclined to a number of vulnerabilities.
Andariel, additionally recognized by the title Nicket Hyatt, Onyx Sleet, and Silent Chollima, is a sophisticated persistent menace (APT) group that operates on behalf of North Korea’s strategic pursuits since a minimum of 2008.
A sub-cluster throughout the prolific Lazarus Group, the adversary has a monitor document of leveraging spear-phishing, watering gap assaults, and recognized safety vulnerabilities in software program to acquire preliminary entry and distribute malware to focused networks.
ASEC didn’t elaborate on the assault chain used for malware deployment, however it famous using a variant of a recognized malware known as Nestdoor, which comes with capabilities to obtain and execute instructions from a distant server, add/obtain recordsdata, launch a reverse shell, seize clipboard knowledge and keystrokes, and act as a proxy.
Additionally used within the assaults is a beforehand undocumented backdoor known as Dora RAT that has been described as a “simple malware strain” with assist for reverse shell and file obtain/add capabilities.
“The attacker has also signed and distributed [the Dora RAT] malware using a valid certificate,” ASEC famous. “Some of the Dora RAT strains used for the attack were confirmed to be signed with a valid certificate from a United Kingdom software developer.”
Among the different malware strains delivered within the assaults embody a keylogger that is put in through a lean Nestdoor variant in addition to a devoted data stealer and a SOCKS5 proxy that reveals overlaps with the same proxy device utilized by the Lazarus Group within the 2021 ThreatNeedle marketing campaign.
“The Andariel group is one of the threat groups that are highly active in Korea, alongside the Kimsuky and Lazarus groups,” ASEC mentioned. “The group initially launched attacks to acquire information related to national security, but now they have also been attacking for financial gain.”
