New Dora RAT Malware by Andariel Group Targets Educational Institutions in South Korea

Jun 03, 2024NewsroomMalware / Cyber Attack

An advanced persistent threat (APT) group named Andariel has recently initiated cyber attacks using a novel Golang-based backdoor named Dora RAT to target schools, factories, and construction companies i

Jun 03, 2024NewsroomMalware / Cyber Attack

Andariel Hackers Target South Korean Institutes with New Dora RAT Malware

An advanced persistent threat (APT) group named Andariel has recently initiated cyber attacks using a novel Golang-based backdoor named Dora RAT to target schools, factories, and construction companies in South Korea.

According to a report issued last week by the AhnLab Security Intelligence Center (ASEC), the threat actor deployed keyloggers, Infostealers, and proxy tools alongside the backdoor to control and extract data from the compromised systems.

These attacks primarily leverage a vulnerable Apache Tomcat server to disseminate the malware, exploiting the 2013 version of Apache Tomcat on the targeted system, which is susceptible to various vulnerabilities, as stated by the South Korean cybersecurity organization.

Andariel, alternatively known as Nicket Hyatt, Onyx Sleet, and Silent Chollima, has been aligned with North Korea’s strategic interests since 2008, being a subdivision of the prominent Lazarus Group. This group is proficient in spear-phishing, watering hole attacks, and exploiting known software vulnerabilities to infiltrate networks and distribute malware.

While ASEC did not provide detailed insights into the mechanism of malware propagation, it did highlight the utilization of a variant of Nestdoor malware, designed to execute commands from a remote server, upload/download files, launch a reverse shell, capture clipboard data and keystrokes, and act as a proxy.

Additionally, a newly identified backdoor named Dora RAT is employed during these attacks, categorized as a basic malware strain with functionalities for reverse shell access and file transfer operations.

ASEC pointed out, “The attacker even signed and circulated [the Dora RAT] malware with a legitimate certificate, with specific strains signed using a valid certificate from a British software developer.”

Other malware strains delivered in these attacks include a keylogger installed via a lightweight version of Nestdoor, a specialized information stealer, and a SOCKS5 proxy tool with similarities to a proxy tool linked with the Lazarus Group in the 2021 ThreatNeedle campaign.

ASEC emphasized, “The Andariel group, alongside Kimsuky and Lazarus groups, remains among the most active threat actors in Korea. While they initially focused on acquiring national security-related data, they have now expanded their operations to include financial motives.”

Found this article intriguing? Stay updated by following us on Twitter and LinkedIn for more exclusive content.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts