The North Korea-connected risk actor identified as Andariel has been observed employing a new Golang-based mostly backdoor referred to as Dora RAT in its attacks targeting academic institutes, producing companies, and design firms in South Korea.
“Keylogger, Infostealer, and proxy equipment on major of the backdoor have been utilized for the attacks,” the AhnLab Security Intelligence Centre (ASEC) explained in a report published last week. “The threat actor probably utilized these malware strains to command and steal information from the infected methods.”
The attacks are characterised by the use of a vulnerable Apache Tomcat server to distribute the malware, the South Korean cybersecurity organization included, noting the method in query ran the 2013 variation of Apache Tomcat, generating it inclined to numerous vulnerabilities.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
Andariel, also identified by the title Nicket Hyatt, Onyx Sleet, and Silent Chollima, is an superior persistent threat (APT) team that operates on behalf of North Korea’s strategic pursuits due to the fact at least 2008.
A sub-cluster within just the prolific Lazarus Group, the adversary has a observe record of leveraging spear-phishing, watering hole attacks, and recognised security vulnerabilities in program to attain original obtain and distribute malware to focused networks.
ASEC did not elaborate on the attack chain made use of for malware deployment, but it famous the use of a variant of a recognised malware termed Nestdoor, which comes with abilities to receive and execute instructions from a remote server, add/obtain data files, launch a reverse shell, seize clipboard knowledge and keystrokes, and act as a proxy.
Also applied in the attacks is a beforehand undocumented backdoor called Dora RAT that has been described as a “easy malware strain” with aid for reverse shell and file down load/upload capabilities.
“The attacker has also signed and distributed [the Dora RAT] malware applying a valid certification,” ASEC mentioned. “Some of the Dora RAT strains utilised for the attack had been verified to be signed with a legitimate certification from a United Kingdom software program developer.”
Some of the other malware strains sent in the attacks encompass a keylogger that is set up through a lean Nestdoor variant as nicely as a focused facts stealer and a SOCKS5 proxy that displays overlaps with a related proxy software utilized by the Lazarus Team in the 2021 ThreatNeedle campaign.
“The Andariel team is one of the danger groups that are remarkably active in Korea, alongside the Kimsuky and Lazarus teams,” ASEC reported. “The team initially introduced attacks to purchase data relevant to countrywide security, but now they have also been attacking for economic acquire.”
Identified this post interesting? Adhere to us on Twitter and LinkedIn to go through far more special material we publish.
Some pieces of this report are sourced from:
thehackernews.com