An anonymous South Korean provider of enterprise resource planning (ERP) solutions has been compromise due to the distribution of a Go-based backdoor called Xctdoor.
What Cybersecurity Experts Know About Xctdoor
AhnLab’s Security Intelligence Center (ASEC), which has identified The attack, which occurred in May 2024, did not attribute the incident to a single individual or a group of known cybercriminals, but did noted that the tactics used overlap with those of Andarielwhich is nothing more than a subgroup of the infamous Lazarus Group.
The similarities stem from the North Korean adversary’s previous use of the ERP solution to distribute malware such as HotCroissant (identical to Refdoor) in 2017, by inserting a malicious routine into a software updater.
In the recent incident analyzed by ASEC, the same executable is said to have been tampered with to run a DLL file from a specific path using the regsvr32.exe process instead of launching a downloader.
Xctdoor and the involvement of Windows DLL files in attacks
The DLL file, Xctdoor, is capable of stealing system information, including keystrokes, screenshots and clipboard contents, and execute commands issued by the cybercriminal(s).
“Xctdoor communicates with the command and control server using the HTTP protocol, while packet encryption uses the Mersenne Twister algorithm (MT19937) and the Base64 algorithm.“, said cybersecurity firm ASEC.
The attack also used a malware called XcLoader, which acts as an injector malware responsible for injecting Xctdoor into legitimate processes (e.g. “explorer.exe”).
ASEC has also detected cases where misconfigured web servers have been compromised to install XcLoader since at least March 2024.
The incident comes as another North Korean-linked threat actor, known as Kimusky, has been observed using a previously undocumented backdoor called Happy Doorand is estimated to have been in circulation since at least July 2021.
How Xctdoor Attacks Happen
Attack chains that distribute the malware exploit spear-phishing emails as a starting point to spread a compressed file, which contains an obfuscated JavaScript script or dropper that, when executed, creates and launches HappyDoor along with a decoy file.
HappyDoor, a DLL file executed via regsvr32.exe, It is able to communicate with a remote server via HTTP and facilitate the theft of informationdownloading/uploading files, as well as updating and terminating itself.
It also follows a “massive” malware distribution campaign orchestrated by the cyber espionage group known as Connie (also known as Opal Sleet, Osmium, or TA406) that targets South Korea with phishing lures that impersonate the national tax service to distribute malware capable of stealing sensitive information, has said security researcher Idan Tarab.
Some considerations
The attack that compromised a South Korean ERP vendor to distribute the Xctdoor backdoor highlights the complex tactics used by cybercriminals, particularly those linked to North Korea; The ability of these groups to manipulate legitimate software to insert malicious code highlights the importance of rigorous cybersecurity and constant monitoring of IT infrastructures..
The discovery of Xctdoor and its associated malware, XcLoader, along with the continued use of threats like HappyDoor, demonstrates that cyberattacks are becoming increasingly sophisticated and persistent; spear-phishing techniques are also and compromising misconfigured web servers are just some of the many avenues used to infiltrate target systems.
For companies, it is essential to adopt advanced security measures, such as implementing intrusion detection systems, regularly updating software and continuously training staff to recognize and report phishing attempts and only through A combination of advanced technology and human awareness can hopefully effectively counter threats like Xctdoor and the cybercriminal groups that orchestrate them.
#Xctdoor #Powerful #Backdoor #Compromises #South #Korean #Entity
