Home Security Andariel Hackers Target South Korean Institutes with New Dora RAT Malware

Andariel Hackers Target South Korean Institutes with New Dora RAT Malware

by


Jun 03, 2024NewsroomMalware / Cyber Attack

The North Korea-linked threat actor known as Andariel has been observed using a new Golang-based backdoor called Dora RAT in its attacks targeting educational institutes, manufacturing firms, and construction businesses in South Korea.

“Keylogger, Infostealer, and proxy tools on top of the backdoor were utilized for the attacks,” the AhnLab Security Intelligence Center (ASEC) said in a report published last week. “The threat actor probably used these malware strains to control and steal data from the infected systems.”

The attacks are characterized by the use of a vulnerable Apache Tomcat server to distribute the malware, the South Korean cybersecurity firm added, noting the system in question ran the 2013 version of Apache Tomcat, making it susceptible to several vulnerabilities.

Cybersecurity

Andariel, also known by the name Nicket Hyatt, Onyx Sleet, and Silent Chollima, is an advanced persistent threat (APT) group that operates on behalf of North Korea’s strategic interests since at least 2008.

A sub-cluster within the prolific Lazarus Group, the adversary has a track record of leveraging spear-phishing, watering hole attacks, and known security vulnerabilities in software to obtain initial access and distribute malware to targeted networks.

ASEC did not elaborate on the attack chain used for malware deployment, but it noted the use of a variant of a known malware called Nestdoor, which comes with capabilities to receive and execute commands from a remote server, upload/download files, launch a reverse shell, capture clipboard data and keystrokes, and act as a proxy.

Also used in the attacks is a previously undocumented backdoor called Dora RAT that has been described as a “simple malware strain” with support for reverse shell and file download/upload capabilities.

“The attacker has also signed and distributed [the Dora RAT] malware using a valid certificate,” ASEC noted. “Some of the Dora RAT strains used for the attack were confirmed to be signed with a valid certificate from a United Kingdom software developer.”

Cybersecurity

Some of the other malware strains delivered in the attacks encompass a keylogger that’s installed via a lean Nestdoor variant as well as a dedicated information stealer and a SOCKS5 proxy that exhibits overlaps with a similar proxy tool used by the Lazarus Group in the 2021 ThreatNeedle campaign.

“The Andariel group is one of the threat groups that are highly active in Korea, alongside the Kimsuky and Lazarus groups,” ASEC said. “The group initially launched attacks to acquire information related to national security, but now they have also been attacking for financial gain.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex