An South Korean company specializing in enterprise resource planning (ERP) had its server breached to distribute a Go-based backdoor named Xctdoor.
Discovered by the AhnLab Security Intelligence Center (ASEC) in May 2024, the attack was not directly attributed to a known threat actor or group. However, ASEC mentioned that the tactics used bear similarities to those of Andariel, a subgroup within the notorious Lazarus Group, according to a report.
This incident echoes a previous North Korean cyberattack where the same ERP solution was utilized to spread malware like HotCroissant, which is similar to Rifdoor. This was achieved by embedding malicious code into a software update program.
According to ASEC’s analysis of the recent breach, the modified executable was used to run a DLL file from a specific location through the regsvr32.exe process instead of initiating a typical downloader.
The implicated DLL file, Xctdoor, is capable of extracting system details, monitoring keystrokes, capturing screenshots, and executing commands issued by the malicious actor.
“Xctdoor communicates with the [command-and-control] server via the HTTP protocol, with packet encryption utilizing the Mersenne Twister (MT19937) and Base64 algorithms,” as stated by ASEC.
Also involved in the attack is another malware known as XcLoader, which acts as an injector malware responsible for integrating Xctdoor into legitimate processes like “explorer.exe”.
ASEC also identified cases where poorly secured web servers were breached to install XcLoader since at least March 2024.
In a related development, a different North Korea-affiliated threat actor called Kimusky has been observed using a previously unrecorded backdoor dubbed HappyDoor since July 2021.
The malware propagation chains rely on spear-phishing emails to initiate a distribution campaign involving a compressed file. This file contains either an obfuscated JavaScript or dropper that, when executed, launches HappyDoor alongside a decoy file.
HappyDoor, a DLL file executed using regsvr32.exe, establishes communication with a remote server via HTTP to carry out data theft, file transfer, self-updates, and self-termination capabilities.
This campaign is part of a broader malware distribution effort led by the Konni cyber espionage group (also known as Opal Sleet, Osmium, or TA406), which aims to target South Korea by using phishing tactics impersonating the national tax service to deploy malware designed for sensitive data theft, according to security researcher Idan Tarab’s statements.
About Author
