Andariel Hackers Target Educational Organizations in South Korea with New Dora RAT Malware
In its recent campaigns against educational institutions, manufacturing companies, and construction firms in South Korea, the threat group linked to North Korea known as Andariel has been employing a newly discovered backdoor named Dora RAT, developed in Golang.
A report published by the AhnLab Security Intelligence Center (ASEC) last week revealed, “Keylogger, Infostealer, and proxy tools along with the backdoor were exploited in these attacks by the threat actor, possibly for data theft and system control purposes.”
Highlighting distinctive features of the attacks, the South Korean cybersecurity company cited the utilization of a vulnerable Apache Tomcat server for the malware distribution. The targeted system was operating on the 2013 version of Apache Tomcat, which made it susceptible to multiple vulnerabilities.
Andariel, also recognized by aliases such as Nicket Hyatt, Onyx Sleet, and Silent Chollima, is an advanced persistent threat (APT) faction serving North Korea’s strategic objectives since at least 2008.
Operating as a sub-cluster of the well-known Lazarus Group, the adversary is notorious for utilizing different tactics like spear-phishing, watering hole attacks, and exploiting software vulnerabilities to gain initial access and propagate malware within targeted networks.
Although ASEC did not provide a detailed breakdown of the malware deployment process, it did mention the use of the Nestdoor malware variant, known for its remote command execution capabilities, file upload/download functions, reverse shell activation, clipboard and keystroke data capture, and proxy server functionality.
Another new backdoor named Dora RAT, detected in the attacks, is described as a “basic malware strain” supporting reverse shell features and file transfer capabilities.
“The attacker went to the extent of signing and circulating the [Dora RAT] malware with a legitimate certificate,” ASEC remarked. “Several instances of the Dora RAT variants deployed during the attack were verified to have been signed with a valid certificate from a software developer based in the United Kingdom.”
Alongside the Dora RAT, other malware payloads found in the attacks include a keylogger that gets installed through a streamlined Nestdoor variant, an information stealer specialized in data extraction, and a SOCKS5 proxy with similarities to a proxy tool employed by the Lazarus Group in the previous ThreatNeedle campaign in 2021.
“The Andariel group is among the most active threat actors in South Korea, alongside the Kimsuky and Lazarus groups,” noted ASEC. “While their initial focus was on acquiring intelligence related to national security, they have now expanded their attacks to include financially motivated objectives.”
About Author
