June 3, 2024 at 04:36AM
Andariel, a North Korea-linked threat actor, has been using a new Golang-based backdoor called Dora RAT in cyber attacks targeting South Korean educational institutes, manufacturing firms, and construction businesses. The attacks involve the use of multiple malware strains, a vulnerable Apache Tomcat server, and known security vulnerabilities in software. Andariel is an advanced persistent threat (APT) group with a history of leveraging various attack methods for illegal gains.
From the meeting notes, it seems that a new Golang-based backdoor called Dora RAT has been observed being used by the North Korea-linked threat actor Andariel. This backdoor has been used in attacks targeting educational institutes, manufacturing firms, and construction businesses in South Korea. The attacks are characterized by the use of a vulnerable Apache Tomcat server to distribute the malware. Andariel, also known by several other names, is an advanced persistent threat (APT) group that operates on behalf of North Korea’s strategic interests. The group has a track record of leveraging spear-phishing, watering hole attacks, and known security vulnerabilities in software to obtain initial access and distribute malware to targeted networks. It’s also interesting to note that some of the malware strains delivered in the attacks encompass a keylogger, information stealer, and a SOCKS5 proxy. Andariel is mentioned as one of the highly active threat groups in Korea, alongside the Kimsuky and Lazarus groups.