An unidentified South Korean enterprise resource planning (ERP) vendor's product update server has been compromised, leading to the delivery of a Go-based backdoor malware known as Xctdoor.
The AhnLab Security Intelligence Center (ASEC), which identified the attack in May 2024, has not attributed it to any known threat actor or group. However, they noted that the tactics used in this attack bear a resemblance to the strategies employed by Andariel, a sub-cluster within the infamous Lazarus Group.
The similarities stem from the North Korean adversary's previous use of the ERP solution to distribute malware like HotCroissant – which is identical to Rifdoor – back in 2017. This was achieved by inserting a malicious routine into a software update program.
In the recent incident analyzed by ASEC, the same executable is said to have been tampered with to execute a DLL file from a specific path using the regsvr32.exe process, as opposed to launching a downloader.
The DLL file, Xctdoor, is capable of stealing system information, including keystrokes, screenshots, and clipboard content, and executing commands issued by the threat actor.
"Xctdoor communicates with the [command-and-control] server using the HTTP protocol, while the packet encryption employs the Mersenne Twister (MT19937) algorithm and the Base64 algorithm," ASEC explained.
Also used in the attack is a malware called XcLoader, which serves as an injector malware responsible for injecting Xctdoor into legitimate processes (e.g., "explorer.exe").
ASEC further detected cases where poorly secured web servers have been compromised to install XcLoader since at least March 2024.
This development comes as another North Korea-linked threat actor, known as Kimusky, has been observed employing a previously undocumented backdoor codenamed HappyDoor that has been in use as far back as July 2021.
Attack chains distributing the malware leverage spear-phishing emails as a starting point to disseminate a compressed file, which contains an obfuscated JavaScript or dropper that, when executed, creates and runs HappyDoor alongside a decoy file.
HappyDoor, a DLL file executed via regsvr32.exe, is equipped to communicate with a remote server over HTTP and facilitate information theft, download/upload files, as well as update and terminate itself.
This follows a "massive" malware distribution campaign orchestrated by the Konni cyber espionage group (aka Opal Sleet, Osmium, or TA406) targeting South Korea with phishing lures impersonating the national tax service to deliver malware capable of stealing sensitive information, according to security researcher Idan Tarab.
