The North Korea-linked risk actor generally known as Andariel has been noticed utilizing a brand new Golang-based backdoor known as Dora RAT in its assaults concentrating on academic institutes, manufacturing corporations, and building companies in South Korea.
“Keylogger, Infostealer, and proxy instruments on prime of the backdoor had been utilized for the assaults,” the AhnLab Safety Intelligence Middle (ASEC) mentioned in a report printed final week. “The risk actor in all probability used these malware strains to regulate and steal knowledge from the contaminated techniques.”
The assaults are characterised by means of a weak Apache Tomcat server to distribute the malware, the South Korean cybersecurity agency added, noting the system in query ran the 2013 model of Apache Tomcat, making it prone to a number of vulnerabilities.
Andariel, additionally identified by the names Nickel Hyatt, Onyx Sleet, and Silent Chollima, is a complicated persistent risk (APT) group that operates on behalf of North Korea’s strategic pursuits since not less than 2008.
A sub-cluster throughout the prolific Lazarus Group, the adversary has a observe file of leveraging spear-phishing, watering gap assaults, and identified security vulnerabilities in software program to acquire preliminary entry and distribute malware to focused networks.
ASEC didn’t elaborate on the assault chain used for malware deployment, however it famous using a variant of a identified malware known as Nestdoor, which comes with capabilities to obtain and execute instructions from a distant server, add/obtain recordsdata, launch a reverse shell, seize clipboard knowledge and keystrokes, and act as a proxy.
Additionally used within the assaults is a beforehand undocumented backdoor known as Dora RAT that has been described as a “easy malware pressure” with assist for reverse shell and file obtain/add capabilities.
“The attacker has additionally signed and distributed [the Dora RAT] malware utilizing a sound certificates,” ASEC famous. “Among the Dora RAT strains used for the assault had been confirmed to be signed with a sound certificates from a United Kingdom software program developer.”
Among the different malware strains delivered within the assaults embody a keylogger that is put in through a lean Nestdoor variant in addition to a devoted data stealer and a SOCKS5 proxy that reveals overlaps with an analogous proxy instrument utilized by the Lazarus Group within the 2021 ThreatNeedle marketing campaign.
“The Andariel group is without doubt one of the risk teams which can be extremely lively in Korea, alongside the Kimsuky and Lazarus teams,” ASEC mentioned. “The group initially launched assaults to amass data associated to nationwide security, however now they’ve additionally been attacking for monetary acquire.”
The disclosure comes as ASEC additionally revealed assaults concentrating on South Korean protection and semiconductor manufacturing entities with a malware dubbed SmallTiger since not less than November 2023. A few of these intrusions have been discovered to leverage SmallTiger to ship a identified Golang backdoor known as DurianBeacon, which has been beforehand attributed to Andariel.