A hacker group from North Korea, known as Andariel, was observed while making use of a new Golang-based backdoor called Dora RAT in its attacks targeting educational institutions, manufacturing companies, and construction firms in South Korea.
The technical analysis of Dora RAT by IT security experts
“Keylogger, Infostealer and proxy tools as well as backdoor were used for the attacks [informatici]“, has said the AhnLab Security Intelligence Center (ASEC) in a report released last week. “It is likely that the threat group used these malware strains to control and steal data from infected systems.”
The attacks are characterized by the use of a Apache Tomcat server vulnerable to distribute malware, the South Korean cybersecurity firm added, noting that the system in question was running the 2013 version of Apache Tomcat, making it susceptible to different types of vulnerabilities.
Andariel, also known by the names Nicket Hyatt, Onyx Sleet and Silent Chollima, is a group of advanced persistent threats (APT) That Opera in favor of North Korea’s strategic interests, it is estimated at least since 2008.
Possible connections with other groups known from North Korea: Lazarous Group one above all
A subgroup within the prolific Lazarus Group, the adversary has a history of exploiting spear-phishing, watering hole attacks and known security vulnerabilities in software to gain initial access and distribute malware to targeted networks.
ASEC did not elaborate on the attack chain used for the distribution of the malware, but noted the use of a variant of a known malware called Nestdoor, which has ability to receive and execute commands from a remote server, upload and download filesstart a reverse shell (reverse shell), capture clipboard data and keystrokes and function as a proxy.
A previously undocumented backdoor called Dora RAT, described as a “simple malware strain,” was also used in the attacks. with reverse shell or reverse shell support and the ability to download and upload files.
Dora RAT was made “legitimate” via “borrowed” legitimate signatures
“The attacker also signed and distributed the malware [Dora RAT] using a valid certificate“, ASEC noted. “Some of the Dora RAT strains used in the attack were confirmed to be signed with a valid certificate from a UK software developer.”
Other malware strains delivered in the attacks include a keylogger installed via a lightweight variant of Nestdoor, as well as a dedicated infostealer and a SOCKS5 proxy that shows overlaps with a similar proxy tool used by the Lazarus Group in countryside 2021 ThreatNeedle.
“The Andariel group is one of the highly active threat groups in Korea, along with the Kimsuky and Lazarus groups“, ASEC said. “The group initially launched attacks to acquire information related to national security, but has now also started attacking for financial gain.“
Lazarus Group which always comes back in one way or another
Dora RAT is certainly not the first cyber threat “manufactured” in North Korea, the fact is that the Lazarus group has considerable influence in the world of cybersecurity, this despite North Korea being a notoriously “closed” state.
It is possible however that some at the top levels of North Korea can have access to the global internet, which is effectively forbidden to the average North Korean citizen.
Conclusion
Sophisticated and persistent attacks by groups like Andariel highlight the importance of keeping systems updated and implementing robust security measures.
The ability to sign malware with valid certificates and exploit known vulnerabilities demonstrates how cyber adversaries are able to constantly adapt and evolve their tacticsmaking it critical for organizations to strengthen their defenses and remain vigilant against increasingly advanced threats.
#Dora #RAT #North #Korean #group #malware #South #Korea
