The North Korea-connected risk actor identified as Andariel has been observed employing a new Golang-based mostly backdoor referred to as Dora RAT in its attacks targeting academic institutes, producing companies, and design firms in South Korea.
“Keylogger, Infostealer, and proxy equipment on major of the backdoor have been utilized for the attacks,” the AhnLab Security Intelligence Centre (ASEC) explained in a report published last week. “The threat actor probably utilized these malware strains to command and steal information from the infected methods.”
The attacks are characterised by the use of a vulnerable Apache Tomcat server to distribute the malware, the South Korean cybersecurity organization included, noting the method in query ran the 2013 variation of Apache Tomcat, generating it inclined to numerous vulnerabilities.
![AOMEI Backupper Lifetime](https://thecybersecurity.news/data/2021/12/AOMEI-Backupper-Professional.png)
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
Andariel, also identified by the title Nicket Hyatt, Onyx Sleet, and Silent Chollima, is an superior persistent threat (APT) team that operates on behalf of North Korea’s strategic pursuits due to the fact at least 2008.
A sub-cluster within just the prolific Lazarus Group, the adversary has a observe record of leveraging spear-phishing, watering hole attacks, and recognised security vulnerabilities in program to attain original obtain and distribute malware to focused networks.
ASEC did not elaborate on the attack chain made use of for malware deployment, but it famous the use of a variant of a recognised malware termed Nestdoor, which comes with abilities to receive and execute instructions from a remote server, add/obtain data files, launch a reverse shell, seize clipboard knowledge and keystrokes, and act as a proxy.
Also applied in the attacks is a beforehand undocumented backdoor called Dora RAT that has been described as a “easy malware strain” with aid for reverse shell and file down load/upload capabilities.
“The attacker has also signed and distributed [the Dora RAT] malware applying a valid certification,” ASEC mentioned. “Some of the Dora RAT strains utilised for the attack had been verified to be signed with a legitimate certification from a United Kingdom software program developer.”
Some of the other malware strains sent in the attacks encompass a keylogger that is set up through a lean Nestdoor variant as nicely as a focused facts stealer and a SOCKS5 proxy that displays overlaps with a related proxy software utilized by the Lazarus Team in the 2021 ThreatNeedle campaign.
“The Andariel team is one of the danger groups that are remarkably active in Korea, alongside the Kimsuky and Lazarus teams,” ASEC reported. “The team initially introduced attacks to purchase data relevant to countrywide security, but now they have also been attacking for economic acquire.”
Identified this post interesting? Adhere to us on Twitter and LinkedIn to go through far more special material we publish.
Some pieces of this report are sourced from:
thehackernews.com