July 2, 2024 at 01:41AM
A South Korean ERP vendor’s product update server was breached, resulting in the delivery of malware instead of legitimate updates. The attack, potentially linked to the North Korea-associated Andariel group, targeted ERP systems with backdoors named HotCroissant and Riffdoor. This incident, detected by AhnLab, highlights the threat posed by such malicious activities, particularly to organizations in the defense sector.
Based on the meeting notes, it appears that a South Korean ERP vendor’s product update server was compromised and used to distribute malware instead of legitimate updates. The attack was attributed to a group linked to North Korea, specifically the Lazarus Group’s subsidiary, Andariel. The attackers used tactics such as installing backdoors named HotCroissant and Riffdoor, and targeting ERP systems by altering the ClientUpdater.exe to deliver malicious updates.
The specific malware identified in the attack is named Xctdoor and is capable of stealing system information and executing commands from the threat actor. It functions as a backdoor, allowing threat actors to control infected systems, exfiltrate information, and perform various malicious activities such as capturing screenshots, keylogging, and transmitting drive information.
Andariel has a history of targeting financial institutions, government entities, and defense contractors, although they have also been observed branching out to other sectors like healthcare. The recent attacks targeted the defense sector but came within months of previous attacks on industries including manufacturing.
ASEC recommends that users exercise caution against email attachments from unknown sources and executable files downloaded from web pages. Security administrators are advised to enhance monitoring of asset management programs and apply patches for any security vulnerabilities in the programs to prevent similar incidents in the future.