03 July 2024NewsroomMalware/Threat Intelligence

Xctdoor malware

An unnamed South Korean enterprise resource planning (ERP) vendor’s product update server has been compromised to provide a Go-based backdoor dubbed Xctdoor.

AhnLab Security Intelligence Center (ASEC), which Identified The May 2024 attack did not attribute it to a known threat actor or group, but noted that the strategy overlapped. Andriela subcluster within the infamous Lazarus group.

The similarity stems from the North Korean adversary’s earlier use of an ERP solution to distribute malware like HotCroissant – which is identical. Rafdur – By inserting a malicious routine into the software update program in 2017.

Cyber ​​security

In a recent incident analyzed by ASEC, the same executable is said to have been tampered with to run a DLL file from a specific path. The regsvr32.exe process As opposed to launching the downloader.

The DLL file, Xctdoor, is capable of stealing system information, including keystrokes, screenshots, and clipboard contents, and is able to execute commands issued by the threat actor.

“Interacts with Xctdoor. [command-and-control] server using the HTTP protocol, while packet encryption uses Mersin Twister (MT19937) algorithm and base64 algorithm,” said ASEC.

The attack also uses a piece of malware called XcLoader, which acts as an injector malware responsible for injecting Xctdoor into a legitimate process (for example, “explorer.exe”).

ASEC said it has further detected cases where poorly secured web servers have been compromised to install XcLoader since at least March 2024.

The development comes as another threat actor linked to North Korea. Kimosky Previously seen using an undocumented backdoor codename. Happy Door Which has been put into use till July 2021.

Cyber ​​security

Attack chains distributing malware leverage spear-phishing emails as a starting point to spread a compressed file, which contains an obfuscated JavaScript or dropper that, when executed, is happy with a decoy file. Makes and runs strings.

HappyDoor, a DLL file executed by regsvr32.exe, communicates with a remote server over HTTP and steals information, downloads/uploads files as well as updates and deletes itself. Provides convenience.

It also follows a “massive” malware distribution campaign orchestrated by Connie A cyber espionage group (aka Opal Sleet, Osmium, or TA406) is targeting South Korea with phishing lures impersonating the national tax service to deliver malware capable of stealing sensitive information. said.

Did you find this article interesting? Follow us. Twitter And LinkedIn To read more exclusive content we post.

Source link