The nefarious entity known as Andariel, with ties to North Korea, has been identified employing a novel Golang-based backdoor dubbed Dora RAT in incursions targeting educational establishments, manufacturing enterprises, and construction firms in South Korea.
The AhnLab Security Intelligence Center (ASEC) divulged in a recent report that the cyber adversary leveraged keyloggers, infostealers, and proxy instruments alongside the backdoor to orchestrate these assaults. “The threat actor presumably deployed these malicious tools to commandeer and exfiltrate data from compromised systems,” the report elucidated.
These nefarious activities are marked by the exploitation of a vulnerable Apache Tomcat server, specifically the 2013 version, which harbors multiple susceptibilities. This server was the conduit for disseminating the malware, as noted by the South Korean cybersecurity experts.
Andariel, also referred to as Nicket Hyatt, Onyx Sleet, and Silent Chollima, is a sophisticated persistent threat (APT) group functioning in alignment with North Korea’s strategic objectives since at least 2008.
This faction, a subset within the prolific Lazarus Group, is notorious for employing spear-phishing, watering hole attacks, and exploiting known software vulnerabilities to gain initial footholds and propagate malware within targeted networks.
While ASEC did not detail the specific attack chain for malware deployment, it did highlight the utilization of a Nestdoor variant. This variant boasts capabilities such as remote command execution, file upload/download, reverse shell initiation, clipboard data capture, keystroke logging, and proxy functionalities.
Furthermore, the attacks incorporated a previously undocumented backdoor named Dora RAT, characterized as a “simple malware strain” with support for reverse shell and file manipulation functionalities.
“The perpetrator has also signed and disseminated [the Dora RAT] malware using a legitimate certificate,” ASEC remarked. “Some Dora RAT samples utilized in the assaults were authenticated with a valid certificate from a UK software developer.”
Additionally, the malware suite deployed in these assaults includes a keylogger installed via a lightweight Nestdoor variant, a dedicated infostealer, and a SOCKS5 proxy overlapping with a similar proxy tool employed by the Lazarus Group in the 2021 ThreatNeedle campaign.
“Andariel is among the highly active threat factions in Korea, alongside Kimsuky and Lazarus groups,” ASEC stated. “The group’s initial incursions aimed at acquiring information pertinent to national security, but their objectives have since expanded to encompass financial gain.”