Researchers have uncovered new attacks by a North Korean advanced persistent threat actor – Andariel APT group – targeting Korean corporations and other organizations. The victims include educational institutions and companies in the manufacturing and construction sectors. The attackers employed keyloggers, infostealers, and proxy tools alongside backdoors to control and extract data from compromised systems, said researchers at the AhnLab Security Intelligence Center (ASEC). The malware used in these attacks includes strains previously attributed to the Andariel APT group, including the backdoor "Nestdoor." Additional tools include web shells and proxy tools linked to the North Korean Lazarus group that now contain modifications compared to earlier versions. Researchers first observed a confirmed attack case where a malware was distributed via a web server running an outdated 2013 version of Apache Tomcat, which is vulnerable to various attacks. "The threat actor used the web server to install backdoors, proxy tools, etc.," the researchers said. [caption id="attachment_73866" align="aligncenter" width="1000"] Apache Tomcat compromised to spread malware by Andariel APT. (Credit: Ahnlab)[/caption]

Malware Used by Andariel APT in this Campaign

The first of the two malware strains used in the latest campaign was Nestdoor, a remote access trojan (RAT) that has been active since May 2022. This RAT can execute commands from the threat actor to control infected systems. Nestdoor has been found in numerous Andariel attacks, including those exploiting the VMware Horizon product’s Log4Shell vulnerability (CVE-2021-44228). The malware is developed in C++ and features capabilities such as file upload/download, reverse shell, command execution, keylogging, clipboard logging, and proxy functionalities. A specific case in 2022 involved Nestdoor being distributed alongside TigerRAT using the same command and control (C&C) server. Another incident in early 2024 saw Nestdoor disguised as an OpenVPN installer. This version maintained persistence via the Task Scheduler and communicated with a C&C server. The Andariel APT has been developing new malware strains in the Go language for each campaign. Dora RAT, a recent discovery is one such malware strain. The backdoor malware supports reverse shell and file transfer operations and exists in two forms: a standalone executable and an injected process within "explorer.exe." The latter variant uses an executable in WinRAR SFX format, which includes an injector malware. The Dora RAT has been signed with a valid certificate from a UK software developer in an attempt to make it look legitimate.

Additional Malware Strains

• Keylogger/Cliplogger: Performs basic functions like logging keystrokes and clipboard contents, stored in the “%TEMP%” directory.
• Stealer: It is designed to exfiltrate files from the system, potentially handling large quantities of data.
• Proxy: Includes both custom-created proxy tools and open-source Socks5 proxy tools. Some proxies are similar to those used by the Lazarus group in past attacks.

The Andariel group, part of the larger Lazarus umbrella, has shifted from targeting national security information to also pursuing financial gains. Last month, the South Korean National Police Agency revealed a targeted campaign of the Andariel APT aimed at stealing the country’s defense technology. Andariel APT hackers gained access to defense industry data by compromising an employee account, which was used in maintaining servers of a defense industry partner. The hackers injected malicious code into the partner’s servers around October 2022, and extracted stored defense technology data. This breach exploited a loophole in how employees used their personal and professional email accounts for official system access. Andariel APT's initial attack methodology primarily includes spear phishing, watering hole attacks, and exploiting software vulnerabilities. Users should remain cautious with email attachments from unknown sources and executable files from websites. Security administrators are advised to keep software patched and updated, including operating systems and browsers, to mitigate the risk of malware infections, the researchers recommended.

IoCs to Watch for Signs of Andariel APT Attacks

IoCs to monitor for attacks from Andariel APT group include: MD5s – 7416ea48102e2715c87edd49ddbd1526: Nestdoor – Recent attack case (nest.exe) – a2aefb7ab6c644aa8eeb482e27b2dbc4: Nestdoor – TigerRAT attack case (psfile.exe) – e7fd7f48fbf5635a04e302af50dfb651: Nestdoor – OpenVPN attack case (openvpnsvc.exe) – 33b2b5b7c830c34c688cf6ced287e5be: Nestdoor launcher (FirewallAPI.dll) – 4bc571925a80d4ae4aab1e8900bf753c: Dora RAT dropper (spsvc.exe) – 951e9fcd048b919516693b25c13a9ef2: Dora RAT dropper (emaupdate.exe) – fee610058c417b6c4b3054935b7e2730: Dora RAT injector (version.dll) – afc5a07d6e438880cea63920277ed270: Dora RAT injector (version.dll) – d92a317ef4d60dc491082a2fe6eb7a70: Dora RAT (emaupdate.exe) – 5df3c3e1f423f1cce5bf75f067d1d05c: Dora RAT (msload.exe) – 094f9a757c6dbd6030bc6dae3f8feab3: Dora RAT (emagent.exe) – 468c369893d6fc6614d24ea89e149e80: Keylogger/Cliplogger (conhosts.exe) – 5e00df548f2dcf7a808f1337f443f3d9: Stealer (msload.exe) C&Cs – 45.58.159[.]237:443: Nestdoor – Recent attack case – 4.246.149[.]227:1443: Nestdoor – TigerRAT attack case – 209.127.19[.]223:443: Nestdoor – OpenVPN attack case – kmobile.bestunif[.]com:443 – Dora RAT – 206.72.205[.]117:443 – Dora RAT

Researchers discovered a new data theft campaign, active since at least 2021, attributed to an advanced persistent threat (APT) actor dubbed "LilacSquid." This campaign, observed by researchers at Cisco Talos, targets a diverse set of industries, including IT organizations in the United States, energy companies in Europe, and pharmaceutical firms in Asia. This broad victimology suggests that LilacSquid is agnostic to industry verticals, aiming to steal data from various sectors.

Use of Open-Source Tools and Customized Malware

The campaign from LilacSquid employs MeshAgent, an open-source remote management tool and a customized version of QuasarRAT that researchers refer as "PurpleInk," as primary implants after compromising vulnerable application servers exposed to the internet. LilacSquid exploits public-facing application server vulnerabilities and compromised remote desktop protocol (RDP) credentials to deploy a range of open-source tools and customized malware, including MeshAgent, SSF, PurpleInk, and loaders InkBox and InkLoader.

LilacSquid's Long-Term Access for Data Theft through Persistence

Talos assessed with high confidence that LilacSquid has been active since at least 2021, focusing on establishing long-term access to compromised organizations to siphon valuable data to attacker-controlled servers. The campaign has successfully compromised entities in Asia, Europe, and the United States across various sectors such as pharmaceuticals, oil and gas, and technology. LilacSquid uses two primary infection chains: exploiting vulnerable web applications and using compromised RDP credentials. [caption id="attachment_73284" align="aligncenter" width="1024"] LilacSquid Initial Access and Activity. (Credit: Cisco Talos)[/caption] Once a system is compromised through exploiting vulnerabilities on internet facing devices, LilacSquid deploys multiple access tools, including MeshAgent, SSF, InkLoader, and PurpleInk. [caption id="attachment_73286" align="aligncenter" width="1024"] LilacSquid's Lateral Movement via RDP. (Credit: Cisco Talos)[/caption] MeshAgent, downloaded using bitsadmin utility, connects to its command and control (C2) server, conducts reconnaissance, and activates other implants. On the other hand InkLoader, a .NET-based malware loader, is used when RDP credentials are compromised. It persists across reboots and executes PurpleInk, with the infection chain tailored for remote desktop sessions.

PurpleInk Implant of LilacSquid

PurpleInk, derived from QuasarRAT, has been customized extensively since 2021.

"Although QuasarRAT has been available to threat actors since at least 2014, we observed PurpleInk being actively developed starting in 2021 and continuing to evolve its functionalities separate from its parent malware family."

It features robust remote access capabilities, including process enumeration, file manipulation, system information gathering, remote shell access, and proxy server communication. Different variants of PurpleInk exhibit varying functionalities, with some stripped-down versions retaining core capabilities to evade detection. InkBox, an older loader used by LilacSquid, reads from a hardcoded file path on disk, decrypts its contents, and runs PurpleInk. Since 2023, LilacSquid has modularized the infection chain, with PurpleInk running as a separate process via InkLoader. [caption id="attachment_73282" align="aligncenter" width="1024"] PurpleInk Activation Chain (Credit: Cisco Talos)[/caption] Post-exploitation, MeshAgent activates other tools like SSF and PurpleInk. MeshAgent, configured with MSH files, allows operators to control infected devices extensively, managing files, viewing and controlling desktops, and gathering device information.

Parallels with North Korean APT Groups

The tactics, techniques, and procedures (TTPs) used in this campaign show similarities to those of North Korean APT groups, such as Andariel and Lazarus. Andariel is known for using MeshAgent to maintain post-compromise access, while Lazarus extensively employs SOCKs proxy and tunneling tools, along with custom malware, to create channels for secondary access and data exfiltration. LilacSquid has similarly deployed SSF and other malware to establish tunnels to their remote servers. The LilacSquid campaign highlights the persistent and evolving threat posed by sophisticated APT actors. By leveraging a combination of open-source tools and customized malware, LilacSquid successfully infiltrates and maintains long-term access to diverse organizations worldwide. IoCs to detect LilacSquid's PurpleInk infection:

PurpleInk: 2eb9c6722139e821c2fe8314b356880be70f3d19d8d2ba530adc9f466ffc67d8

Network IOCs 

67[.]213[.]221[.]6 192[.]145[.]127[.]190 45[.]9[.]251[.]14 199[.]229[.]250[.]142

Views: 0Source: www.securityweek.com – Author: Eduard Kovacs MITRE has published another blog post describing the recent cyberattack, focusing on how the hackers abused its VMware systems for persistence and detection evasion. MITRE, a not-for-profit company operating R&D centers on behalf of US government sponsors, revealed one month ago that state-sponsored hackers had exploited zero-day vulnerabilities […]

La entrada VMware Abused in Recent MITRE Hack for Persistence, Evasion – Source: www.securityweek.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: securityboulevard.com – Author: Riddika Grover The digital era is constantly evolving, and businesses are rapidly migrating towards cloud-based solutions to leverage the agility, scalability, and cost-effectiveness they offer. However, this transition also introduces new security challenges. As more sensitive data and applications reside in the cloud, ensuring their security becomes paramount. This is where […]

La entrada What is Cloud Penetration Testing? – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

The digital era is constantly evolving, and businesses are rapidly migrating towards cloud-based solutions to leverage the agility, scalability, and cost-effectiveness they offer. However, this transition also introduces new security challenges. As more sensitive data and applications reside in the cloud, ensuring their security becomes paramount. This is where Cloud Penetration Testing (Cloud Pentesting) steps […]

The post What is Cloud Penetration Testing? appeared first on Kratikal Blogs.

The post What is Cloud Penetration Testing? appeared first on Security Boulevard.

MITRE has shared information on how China-linked hackers abused VMware for persistence and detection evasion in the recent hack.

The post VMware Abused in Recent MITRE Hack for Persistence, Evasion appeared first on SecurityWeek.

Unfading Sea Haze has been targeting military and government entities in South China Sea countries since 2018.

The post Newly Detected Chinese Group Targeting Military, Government Entities appeared first on SecurityWeek.

How safe is your data? With the increasing reliance on online services, this question weighs heavily on everyone’s mind. The recent cyber incident serves as a wake-up call, exposing a vulnerability we often overlook: the security of APIs.  A recent data breach at a well-renowned American technology company affected 49 million consumers and highlights an […]

The post 49 Million Customers Impacted by API Security Flaw appeared first on Kratikal Blogs.

The post 49 Million Customers Impacted by API Security Flaw appeared first on Security Boulevard.

Secure code review is a combination of automated and manual processes assessing an application/software’s source code. The main motive of this technique is to detect vulnerabilities in the code. This security assurance technique looks for logic errors and assesses style guidelines, specification implementation, and so on.  In an automated secure code review, the tool automatically […]

The post What is Secure Code Review and How to Conduct it? appeared first on Kratikal Blogs.

The post What is Secure Code Review and How to Conduct it? appeared first on Security Boulevard.

In today’s digital age, cybersecurity is more important than ever. Businesses that maintain the data of their clients are continually concerned about potential vulnerabilities that hackers may exploit to potentially misuse the data for wrong deeds.That is why organizations need to obtain a VAPT certificate for their organization. But what exactly is a VAPT certificate, […]

The post How to Get a VAPT Certificate? appeared first on Kratikal Blogs.

The post How to Get a VAPT Certificate? appeared first on Security Boulevard.

It takes 4.76 days between public disclosure of a vulnerability and its first exploitations to appear.

The post Fortinet Report Sees Faster Exploitations of New Vulnerabilities appeared first on Security Boulevard.

The US government warns of a North Korean threat actor abusing weak email DMARC settings to hide spear-phishing attacks.

The post US Says North Korean Hackers Exploiting Weak DMARC Settings  appeared first on SecurityWeek.

Data from a Chinese cybersecurity vendor that works for the Chinese government has exposed a range of hacking tools and services. Although the source is not entirely clear, it seems that a disgruntled staff member of the group leaked the information on purpose.

The vendor, i-Soon (aka Anxun) is believed to be a private contractor that operates as an Advanced Persistent Threat (APT)-for-hire, servicing China’s Ministry of Public Security (MPS).

The leaked data is organized in a few groups, such as complaints about the company, chat records, financial information, products, employee information, and details about foreign infiltration. According to the leaked data, i-Soon infiltrated several government departments, including those from India, Thailand, Vietnam, South Korea, and NATO.

Some of the tools that i-Soon used are impressive enough. Some highlights:

• Twitter (now X) stealer: Features include obtaining the user’s Twitter email and phone number, real-time monitoring, reading personal messages, and publishing tweets on the user’s behalf.
• Custom Remote Access Trojans (RATs) for Windows x64/x86: Features include process/service/registry management, remote shell, keylogging, file access logging, obtaining system information, disconnecting remotely, and uninstallation.
• The iOS version of the RAT also claims to authorize and support all iOS device versions without jailbreaking, with features ranging from hardware information, GPS data, contacts, media files, and real-time audio records as an extension. (Note: this part dates back to 2020)
• The Android version can dump messages from all popular Chinese chatting apps QQ, WeChat, Telegram, and MoMo and is capable of elevating the system app for persistence against internal recovery.
• Portable devices for attacking networks from the inside.
• Special equipment for operatives working abroad to establish safe communication.
• User lookup database which lists user data including phone number, name, and email, and can be correlated with social media accounts.
• Targeted automatic penetration testing scenario framework.

While some of the information is dated, the leaked data provide an inside look in the operations that go on in a leading spyware vendor and APT-for-hire.

It will certainly rattle some cages at the infiltrated entities and as such it could possibly cause a shift in international diplomacy and expose the holes in the national security of several countries.

Not all of the material has been examined yet. There is a lot available and translating is not an easy task. But we will keep you posted if anything else of interest shows up.

---

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.