Andariel APT Using DoraRAT and Nestdoor Malware to Spy on South Korean Businesses
31 May 2024 at 14:00
Researchers have uncovered new attacks by a North Korean advanced persistent threat actor β Andariel APT group β targeting Korean corporations and other organizations. The victims include educational institutions and companies in the manufacturing and construction sectors.
The attackers employed keyloggers, infostealers, and proxy tools alongside backdoors to control and extract data from compromised systems, said researchers at the AhnLab Security Intelligence Center (ASEC).
The malware used in these attacks includes strains previously attributed to the Andariel APT group, including the backdoor "Nestdoor." Additional tools include web shells and proxy tools linked to the North Korean Lazarus group that now contain modifications compared to earlier versions.
Researchers first observed a confirmed attack case where a malware was distributed via a web server running an outdated 2013 version of Apache Tomcat, which is vulnerable to various attacks. "The threat actor used the web server to install backdoors, proxy tools, etc.," the researchers said.
[caption id="attachment_73866" align="aligncenter" width="1000"] Apache Tomcat compromised to spread malware by Andariel APT. (Credit: Ahnlab)[/caption]
Malware Used by Andariel APT in this Campaign
The first of the two malware strains used in the latest campaign was Nestdoor, a remote access trojan (RAT) that has been active since May 2022. This RAT can execute commands from the threat actor to control infected systems. Nestdoor has been found in numerous Andariel attacks, including those exploiting the VMware Horizon productβs Log4Shell vulnerability (CVE-2021-44228). The malware is developed in C++ and features capabilities such as file upload/download, reverse shell, command execution, keylogging, clipboard logging, and proxy functionalities. A specific case in 2022 involved Nestdoor being distributed alongside TigerRAT using the same command and control (C&C) server. Another incident in early 2024 saw Nestdoor disguised as an OpenVPN installer. This version maintained persistence via the Task Scheduler and communicated with a C&C server. The Andariel APT has been developing new malware strains in the Go language for each campaign. Dora RAT, a recent discovery is one such malware strain. The backdoor malware supports reverse shell and file transfer operations and exists in two forms: a standalone executable and an injected process within "explorer.exe." The latter variant uses an executable in WinRAR SFX format, which includes an injector malware. The Dora RAT has been signed with a valid certificate from a UK software developer in an attempt to make it look legitimate.Additional Malware Strains
- Keylogger/Cliplogger: Performs basic functions like logging keystrokes and clipboard contents, stored in the β%TEMP%β directory.
- Stealer: It is designed to exfiltrate files from the system, potentially handling large quantities of data.
- Proxy: Includes both custom-created proxy tools and open-source Socks5 proxy tools. Some proxies are similar to those used by the Lazarus group in past attacks.