Analysis Summary

In May 2024, researchers discovered a compromised update server of an unnamed South Korean ERP vendor distributing a Go-based backdoor named Xctdoor.

Although the report said that the researchers did not attribute the attack to a specific threat actor, the tactics bore similarities to those of Andariel a sub-group within the notorious Lazarus Group. This mirrors a previous incident in 2017 where the North Korean adversary used the same ERP solution to distribute malware by embedding malicious routines into a software update program.

The recent compromise involved tampering with an executable to execute a DLL file via the regsvr32.exe process instead of launching a downloader. The DLL file, Xctdoor, can steal system information such as keystrokes, screenshots, and clipboard content and can execute commands from the threat actor. Xctdoor communicates with its command-and-control server using the HTTP protocol and employs the Mersenne Twister (MT19937) algorithm and Base64 for packet encryption. Another malware, XcLoader, was used to inject Xctdoor into legitimate processes like "explorer.exe."

Since at least March 2024, poorly secured web servers have been compromised to install XcLoader demonstrating the attackers' evolving tactics. Meanwhile, another North Korea-linked threat actor known as Kimusky has been using a backdoor named HappyDoor since July 2021. HappyDoor is distributed through spear-phishing emails containing obfuscated JavaScript or droppers that execute alongside decoy files. This DLL file, executed via regsvr32.exe, can communicate with remote servers over HTTP, facilitating data theft, file uploads/downloads, and self-updates.

Additionally, the Konni cyber espionage group (aka Opal Sleet or TA406) has been conducting extensive malware distribution campaigns targeting South Korea. These campaigns use phishing lures impersonating the national tax service to deliver malware designed to steal sensitive information. Security researchers highlighted these ongoing efforts underscoring the persistent and evolving threat posed by North Korean cyber adversaries.

Impact

• Sensitive Data Theft
• Unauthorized Access
• Cyber Espionage

Indicators of Compromise

Domain Name

• beebeep.info
• jikji.pe.kr

IP

• 195.50.242.110

MD5

• 235e02eba12286e74e886b6c99e46fb7
• 396bee51c7485c3a0d3b044a9ceb6487
• 9a580aaaa3e79b6f19a2c70e89b016e3
• d852c3d06ef63ea6c6a21b0d1cdf14d4
• b96b98dede8a64373b539f94042bdb41
• d787a33d76552019becfef0a4af78a11

SHA-256

• c61eca8cf14ce18a54616c3bbe17973a0c1ccca45bb1a2c4c13aa0c4c4996a7a
• 3e7715ac57003f8a80119ab348a7a7b260afde749cad3c56bd2d9ab931288f92
• 1417416ba94d9a0f3c34be4c529c2447de8db8785c6835851689f66e5b6c951d
• 9974b4befa2906a6925e786c47651319ed70e3b9fe1f76e25ae0ef81f6555996
• 934622b6a764a3b4f2a0049c62e66b9ad65a7987c83c37879c6772a61760707e
• 3d4b90f520ed82ef886f0a38e1a621ead2d42fa3ef91a6083a484f3e361028e2

SHA-1

• c7c8a0e82718712b1ccaeb5ed9cd28b3f6301292
• afbd35ec6e045313a428c9ed125ce0ba6673cbe5
• 16e0cc0f61c80e3d9d1eb4708c153b6b611e81af
• 3351a8e25e471e4704628e990525ceed1d79791b
• 73b3a3fa14b32dff0109cf1c05cdd9076aad1264
• 4787366989231b23beaa6db3147929190aa0c896

URL

• http://www.jikji.pe.kr/xe/files/attach/binaries/102/663/image.gif

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Implement strict access controls and regularly update security protocols for servers and network infrastructure.
• Ensure all software, including ERP solutions, is regularly updated with the latest security patches.
• Conduct thorough security audits and vulnerability assessments on critical systems.
• Use robust encryption methods for data transmission and storage.
• Employ multi-factor authentication (MFA) to secure access to sensitive systems and data.
• Monitor network traffic for unusual activities or signs of compromise.
• Isolate compromised systems immediately and conduct a thorough forensic investigation.
• Regularly back up critical data and verify the integrity of backup systems.
• Use endpoint detection and response (EDR) solutions to detect and mitigate threats in real time.
• Implement a comprehensive incident response plan and conduct regular drills.
• Restrict the use of regsvr32.exe to only trusted scripts and applications.
• Secure web servers by regularly updating software, using strong passwords, and implementing firewalls.
• Deploy intrusion detection and prevention systems (IDPS) to detect and block malicious activities.