An unnamed South Korean enterprise resource planning (ERP) vendor’s product update server was compromised to deliver a Go-based backdoor dubbed Xctdoor.
The AhnLab Security Intelligence Center (ASEC), which identified the attack in May 2024, did not attribute it to a known threat actor but noted similarities with Andariel, a sub-cluster within the notorious Lazarus Group.
This attack mirrors previous methods used by the North Korean adversary, who previously distributed malware like HotCroissant (identical to Rifdoor) in 2017 by inserting a malicious routine into a software update program.
In the recent incident analyzed by ASEC, the same executable was tampered with to execute a DLL file from a specific path using the regsvr32.exe process, instead of launching a downloader. The DLL file, Xctdoor, can steal system information, including keystrokes, screenshots, and clipboard content, and execute commands issued by the threat actor.
“Xctdoor communicates with the command-and-control (C2) server using the HTTP protocol, while the packet encryption employs the Mersenne Twister (MT19937) algorithm and the Base64 algorithm,” ASEC noted.
Additionally, the attack used XcLoader, an injector malware responsible for injecting Xctdoor into legitimate processes like explorer.exe. ASEC detected instances where poorly secured web servers were compromised to install XcLoader since at least March 2024.
South Korean ERP Vendor’s Server Hacked to Spread Xctdoor Malware: An unnamed South Korean enterprise resource planning (ERP) vendor’s product update server has been found to be compromised to deliver a Go-based backdoor dubbed Xctdoor. The AhnLab… https://t.co/hFswhFE8uP pic.twitter.com/hPZgUKUsq8
— Toby Lerone (@TLerone79) July 3, 2024
Meanwhile, another North Korea-linked threat actor, Kimusky, has been using a previously undocumented backdoor called HappyDoor since July 2021. Attack chains distributing this malware often start with spear-phishing emails that disseminate a compressed file containing an obfuscated JavaScript or dropper, which, when executed, creates and runs HappyDoor alongside a decoy file.
HappyDoor, executed via regsvr32.exe, can communicate with a remote server over HTTP, steal information, download/upload files, and update or terminate itself.
This development follows a “massive” malware distribution campaign by the Konni cyber espionage group targeting South Korea with phishing lures impersonating the national tax service to deliver malware capable of stealing sensitive information, according to security researcher Idan Tarab.
These incidents highlight the ongoing threat posed by sophisticated cyber adversaries and the importance of robust cybersecurity measures to protect critical infrastructure.
Start Growing with Cloudways Today.
Our Clients Love us because we never compromise on these
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
