An unidentified South Korean ERP vendor’s update server has been taken over in order to propagate Xctdoor, a backdoor based on Go.
The update server of an unnamed South Korean ERP vendor has been hijacked in order to disseminate Xctdoor, a Go-based backdoor. When the breach was first identified in May 2024, the AhnLab Security Intelligence Center (ASEC) did not link it to a particular threat actor or organization. They did, however, draw attention to parallels with Andariel, a division of the infamous Lazarus Group. These similarities originate from earlier incidents in which the North Korean opponent distributed malware such as HotCroissant (also called Rifdoor) in 2017 by infecting software update applications with malicious code by using ERP solutions. The infected executable in the most recent event that ASEC investigated was changed to use the regsvr32.exe process to execute a DLL file from a specified directory rather than starting a downloader.Xctdoor, a DLL file, has the ability to steal systems using keystrokes and screenshots.
ASEC claims that Xctdoor uses the HTTP protocol to connect with the command-and-control server, encrypting packets using the Base64 and Mersenne Twister (MT19937) algorithms. A malware known as XcLoader, which serves as an injector and inserts Xctdoor into normal programs like “,” is another element of the attack. Additionally, ASEC disclosed cases in which weakly secured web servers have been breached since March 2024 in order to install XcLoader. Simultaneously, a threat actor associated with North Korea, designated as Kimusky, has been seen utilizing HappyDoor, a backdoor that was previously revealed and has been in use since July 2021. This malware is distributed using spear-phishing emails that attach a compressed file. HappyDoor is created and executed with a decoy file by an obfuscated JavaScript or dropper upon execution.
A malware known as XcLoader, which serves as an injector and inserts Xctdoor into normal programs like “,” is another element of the attack. Additionally, ASEC disclosed cases in which weakly secured web servers have been breached since March 2024 in order to install XcLoader. Simultaneously, a threat actor associated with North Korea, designated as Kimusky, has been seen utilizing HappyDoor, a backdoor that was previously revealed and has been in use since July 2021. This malware is distributed using spear-phishing emails that attach a compressed file. HappyDoor is created and executed with a decoy file by an obfuscated JavaScript or dropper upon execution.
HappyDoor, which is also run by regsvr32.exe, uses HTTP to connect to a remote server to facilitate file uploads and downloads, self-updating and terminating features, and data theft. This conduct corresponds with a large-scale malware distribution effort that has been linked to the Konni cyber espionage gang (also identified as Opal Sleet, Osmium, or TA406). According to security expert Idan Tarab, they used phishing techniques to pose as national tax services in order to target South Korea and install malware that may steal confidential data.
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.