Analysis Summary

The newly discovered Golang-based backdoor known as Dora RAT has been used by the North Korea-affiliated threat actor Andariel in its assaults against South Korean educational institutions, manufacturing companies, and construction companies.

“Keylogger, Infostealer, and proxy tools on top of the backdoor were utilized for the attacks. The threat actor probably used these malware strains to control and steal data from the infected systems,” reads the report.

Andariel is an advanced persistent threat (APT) organization that has been acting since at least 2008 in support of North Korea's strategic objectives. It is also known by the names Nicket Hyatt, Onyx Sleet, and Silent Chollima. The adversary, a sub-cluster of the well-known Lazarus Group, has a history of using spear-phishing, watering hole attacks, and known software security flaws to get initial access and spread malware to targeted networks.

The researchers said that the attacks are typified by the malware being disseminated using a vulnerable Apache Tomcat server. The system in question was running the 2013 version of Apache Tomcat, which left it open to multiple vulnerabilities. Although the cybersecurity experts did not go into detail about the attack chain that was used to distribute the malware, they did mention the use of a known malware variant known as Nestdoor. This variant can upload and download files, launch a reverse shell, capture clipboard data and keystrokes, and function as a proxy.

A previously unreported backdoor known as Dora RAT, which is characterized as a basic malware strain with functionality for reverse shell and file download/upload functions, is also utilized in the attacks. Additionally, the attacker used a legitimate certificate to sign and disseminate the Dora RAT malware. It was established that a legitimate certificate from a software provider in the United Kingdom was used to sign some of the Dora RAT strains utilized in the attack.

A keylogger installed by a slimmed-down version of Nestdoor, an information-stealing tool, and a proxy tool for SOCKS5 that shows similarities to a similar tool utilized by the Lazarus Group in the 2021 ThreatNeedle campaign are among the additional malware variants distributed by the attacks. Along with the Kimsuky and Lazarus groups, the Andariel group is one of the threat groups that is quite active in Korea. The gang has been targeting for financial gain in addition to its original goal of gathering intelligence on matters of national security.

Impact

• Sensitive Data Theft
• Financial Loss
• Keylogging

Indicators of Compromise

MD5

• a2aefb7ab6c644aa8eeb482e27b2dbc4
• e7fd7f48fbf5635a04e302af50dfb651
• 33b2b5b7c830c34c688cf6ced287e5be
• 468c369893d6fc6614d24ea89e149e80

SHA-256

• 3ec2292dc5be0161d25f258f716d92e96c591ab084548679dd7b169f80b2e967
• c419f17b54d5b1dd356af3703e1c31064720521337abed3ffecfed0884d1e235
• 0995f1f2e4bb43ef7e3dcd57c06154fc812394ac214861c5e30084a215018dbe
• 42fd586328a0dfa54af5d94905b36eb6ab59a23f49e190468a8dc55380b559fa

SHA1

• 0dca85d00502ed5ddd1e3a1d4cb8a95e3d2e38df
• 52c5c2ec17f22d079f36c06516eb6943e6defe58
• 36fb2e182ae4348715825cfbd09eb54de7557a84
• ef3b9d308f38924ebe3970f85c8466613381cd20

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.