The North Korea-linked risk actor often known as Andariel has been noticed utilizing a brand new Golang-based backdoor known as Dora RAT in its assaults focusing on instructional institutes, manufacturing companies, and development companies in South Korea.
“Keylogger, Infostealer, and proxy instruments on high of the backdoor had been utilized for the assaults,” the AhnLab Safety Intelligence Middle (ASEC) stated in a report printed final week. “The risk actor most likely used these malware strains to regulate and steal knowledge from the contaminated methods.”
The assaults are characterised by means of a susceptible Apache Tomcat server to distribute the malware, the South Korean cybersecurity agency added, noting the system in query ran the 2013 model of Apache Tomcat, making it inclined to a number of vulnerabilities.
Andariel, additionally identified by the identify Nicket Hyatt, Onyx Sleet, and Silent Chollima, is a complicated persistent risk (APT) group that operates on behalf of North Korea’s strategic pursuits since a minimum of 2008.
A sub-cluster throughout the prolific Lazarus Group, the adversary has a observe report of leveraging spear-phishing, watering gap assaults, and identified security vulnerabilities in software program to acquire preliminary entry and distribute malware to focused networks.
ASEC didn’t elaborate on the assault chain used for malware deployment, nevertheless it famous the usage of a variant of a identified malware known as Nestdoor, which comes with capabilities to obtain and execute instructions from a distant server, add/obtain recordsdata, launch a reverse shell, seize clipboard knowledge and keystrokes, and act as a proxy.
Additionally used within the assaults is a beforehand undocumented backdoor known as Dora RAT that has been described as a “easy malware pressure” with help for reverse shell and file obtain/add capabilities.
“The attacker has additionally signed and distributed [the Dora RAT] malware utilizing a sound certificates,” ASEC famous. “A number of the Dora RAT strains used for the assault had been confirmed to be signed with a sound certificates from a United Kingdom software program developer.”
A number of the different malware strains delivered within the assaults embody a keylogger that is put in through a lean Nestdoor variant in addition to a devoted info stealer and a SOCKS5 proxy that reveals overlaps with the same proxy instrument utilized by the Lazarus Group within the 2021 ThreatNeedle marketing campaign.
“The Andariel group is likely one of the risk teams which might be extremely energetic in Korea, alongside the Kimsuky and Lazarus teams,” ASEC stated. “The group initially launched assaults to amass info associated to nationwide security, however now they’ve additionally been attacking for monetary acquire.”
