July 3, 2024 at 12:15AM
An unnamed South Korean enterprise resource planning (ERP) vendor’s product update server was compromised, leading to the delivery of a Go-based backdoor called Xctdoor. AhnLab Security Intelligence Center identified the attack, which shares similarities with tactics used by the infamous Lazarus Group. The attack also involved a malware injector called XcLoader. This incident is linked to ongoing cyber threats from North Korea.
Key Takeaways from the Meeting Notes:
– An unnamed South Korean ERP vendor’s product update server was compromised to deliver a Go-based backdoor called Xctdoor. The attack, identified by AhnLab Security Intelligence Center in May 2024, shares similarities with the tactics of Andariel, a sub-cluster within the Lazarus Group.
– The Xctdoor backdoor is capable of stealing system information, including keystrokes, screenshots, and clipboard content, and executing commands issued by the threat actor. It communicates with a command-and-control server using HTTP and employs the Mersenne Twister (MT19937) and Base64 algorithms for packet encryption.
– The attack also involved the use of a malware injector called XcLoader, which has been observed compromising poorly secured web servers since at least March 2024.
– The development is linked to another North Korea-associated threat actor, Kimusky, which has been using a previously undocumented backdoor named HappyDoor since July 2021. HappyDoor is capable of communication with a remote server over HTTP and facilitating information theft, file download/upload, as well as updating and terminating itself.
– This activity aligns with a “massive” malware distribution campaign by the Konni cyber espionage group (aka Opal Sleet, Osmium, or TA406) targeting South Korea. The campaign involves phishing lures impersonating the national tax service to deliver malware capable of stealing sensitive information.
For more exclusive content, follow us on Twitter and LinkedIn.