Home Security South Korean ERP Vendor’s Server Hacked to Spread Xctdoor Malware

South Korean ERP Vendor’s Server Hacked to Spread Xctdoor Malware

by


Jul 03, 2024NewsroomMalware / Threat Intelligence

An unnamed South Korean enterprise resource planning (ERP) vendor’s product update server has been found to be compromised to deliver a Go-based backdoor dubbed Xctdoor.

The AhnLab Security Intelligence Center (ASEC), which identified the attack in May 2024, did not attribute it to a known threat actor or group, but noted that the tactics overlap with that of Andariel, a sub-cluster within the infamous Lazarus Group.

The similarities stem from the North Korean adversary’s prior use of ERP solution to distribute malware like HotCroissant – which is identical to Rifdoor – in 2017 by inserting a malicious routine into a software update program.

Cybersecurity

In the recent incident analyzed by ASEC, the same executable is said to have been tampered with to execute a DLL file from a specific path using the regsvr32.exe process as opposed to launching a downloader.

The DLL file, Xctdoor, is capable of stealing system information, including keystrokes, screenshots, and clipboard content, and executing commands issued by the threat actor.

“Xctdoor communicates with the [command-and-control] server using the HTTP protocol, while the packet encryption employs the Mersenne Twister (MT19937) algorithm and the Base64 algorithm,” ASEC said.

Also used in the attack is a malware called XcLoader, which serves as an injector malware responsible for injecting Xctdoor into legitimate processes (e.g., “explorer.exe”).

ASEC said it further detected cases where poorly secured web servers have been compromised to install XcLoader since at least March 2024.

The development comes as the another North Korea-linked threat actor referred to as Kimusky has been observed using a previously undocumented backdoor codenamed HappyDoor that has been put to use as far back as July 2021.

Cybersecurity

Attack chains distributing the malware leverage spear-phishing emails as a starting point to disseminate a compressed file, which contains an obfuscated JavaScript or dropper that, when executed, creates and runs HappyDoor alongside a decoy file.

HappyDoor, a DLL file executed via regsvr32.exe, is equipped to communicate with a remote server over HTTP and facilitate information theft, download/upload files, as well as update and terminate itself.

It also follows a “massive” malware distribution campaign orchestrated by the Konni cyber espionage group (aka Opal Sleet, Osmium, or TA406) targeting South Korea with phishing lures impersonating the national tax service to deliver malware capable of stealing sensitive information, security researcher Idan Tarab said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex