The product update server of an unnamed Korean enterprise resource planning (ERP) vendor was found to have been compromised, delivering a Go-based backdoor called Xctdoor.
The AhnLab Security Intelligence Center (ASEC), which identified the attack in May 2024, did not specifically attribute the attack to any known threat actor or group, but noted that its tactics overlap with those of Andariel, a sub-cluster within the notorious Lazarus Group.
The similarities stem from North Korean adversaries’ use of ERP solutions to distribute malware such as HotCroissant (the same as Rifdoor) by inserting malicious routines into software updates in 2017.
In a recent incident analyzed by ASEC, the same executable was allegedly altered so that, rather than launching a downloader, it would run a DLL file from a specific path using the regsvr32.exe process.
The DLL file Xctdoor has the ability to steal system information such as keystrokes, screenshots, clipboard contents and execute commands issued by the threat actors.
“Xctdoor communicates with its (command and control) server using the HTTP protocol and employs Mersenne Twister (MT19937) and Base64 algorithms for packet encryption,” ASEC said.
This attack also uses malware called XcLoader, which acts as an injector malware that injects Xctdoor into legitimate processes (e.g. explorer.exe).
ASEC said it had detected further cases since at least March 2024 where poorly secured web servers had been compromised and XcLoader had been installed.
The move comes after another North Korea-linked threat actor known as Kimsuki was observed using a previously undocumented backdoor codenamed “HappyDoor,” which has been in use since July 2021.
The attack chain that delivers the malware begins with a spear-phishing email delivering a compressed file containing obfuscated JavaScript or a dropper that, when executed, drops and executes HappyDoor along with a decoy file.
A DLL file executed via regsvr32.exe, HappyDoor communicates with remote servers over HTTP and has the ability to facilitate information theft, file download/upload, as well as updating and termination.
Security researcher Idan Talab said this follows a “large-scale” malware distribution campaign launched by cyberespionage group Kony (also known as Opal Sleet, Osmium and TA406) targeting South Korea, using phishing scams to deliver malware designed to steal sensitive information, posing as the National Tax Service.
