The product update server of an unnamed South Korean enterprise resource planning (ERP) vendor was found to have been compromised to provide a Go-based backdoor dubbed Xctdoor.
AhnLab Security Intelligence Center (ASEC), which identified did not attribute the May 2024 attack to a known threat or group, but noted that tactics overlapped with Andariela subcluster of the infamous Lazarus group.
The similarity stems from the previous use by a North Korean adversary of an ERP solution to distribute malware such as HotCroissant, identical Rifdor – in 2017 by inserting a malicious procedure into the software update program.
In a recent incident analyzed by ASEC, the same executable was forged to execute a DLL file at a specific path using regsvr32.exe process as opposed to starting the bootloader.
The DLL file, Xctdoor, is capable of stealing system information, including keystrokes, screenshots, and clipboard contents, as well as executing commands issued by the threat.
“Xctdoor communicates with the (command and control) server using the HTTP protocol, while packet encryption uses the Mersenne Twister (MT19937) and Base64 algorithms,” ASEC said.
The attack also uses a malware called XcLoader, which serves as a malware injector responsible for injecting Xctdoor into legitimate processes (such as “explorer.exe”).
ASEC said it has additionally discovered instances of poorly secured web servers being compromised to install XcLoader since at least March 2024.
This event became another threat associated with North Korea Kimuski the use of a previously undocumented codenamed backdoor was observed HappyDoor which was commissioned back in July 2021.
Attack chains that distribute malware use phishing emails as a starting point to distribute a compressed file containing obfuscated JavaScript or a dropper that, when executed, creates and runs HappyDoor along with the decoy file.
HappyDoor, a DLL file executed via regsvr32.exe, is equipped to communicate with a remote server via HTTP and facilitate information theft, upload/download files, and update and terminate itself.
It also stems from a “massive” malware campaign organized Horses cyber espionage group (aka Opal Sleet, Osmium, or TA406) targeted South Korea with phishing lures impersonating the national tax service to deliver malware capable of stealing sensitive information, security researcher Idan Tarab said.
