The North Korea-linked threat actor known as Andariel has been seen deploying a new Golang-based backdoor named Dora RAT in its assaults targeting educational institutions, industrial organizations, and construction businesses in South Korea.
"Keylogger, Infostealer, and proxy tools on top of the backdoor were utilized for the attacks," the AhnLab Security Intelligence Center (ASEC) claimed in a study released last week. "The threat actor probably used these malware strains to control and steal data from the infected systems."
The assaults are characterized by the use of a weak Apache Tomcat server to disseminate the malware, the South Korean cybersecurity company noted, adding the machine in issue used the 2013 version of Apache Tomcat, rendering it exposed to various vulnerabilities.
Andariel, also known by the names Nickel Hyatt, Onyx Sleet, and Silent Chollima, is an advanced persistent threat (APT) organization that acts on behalf of North Korea's strategic goals since at least 2008.
A sub-cluster within the notorious Lazarus Group, the adversary has a track record of utilizing spear-phishing, watering hole attacks, and known security weaknesses in software to get initial access and deliver malware to targeted networks.
ASEC did not elaborate on the attack chain used for malware deployment, but it noted the use of a variant of a known malware called Nestdoor, which comes with capabilities to receive and execute commands from a remote server, upload/download files, launch a reverse shell, capture clipboard data and keystrokes, and act as a proxy.
Also employed in the assaults is a previously unreported backdoor named Dora RAT that has been defined as a "simple malware strain" with functionality for reverse shell and file download/upload capabilities.
"The attacker has also signed and distributed [the Dora RAT] malware using a valid certificate," ASEC observed. "Some of the Dora RAT strains used for the attack were confirmed to be signed with a valid certificate from a United Kingdom software developer."
Some of the other malware strains given in the assaults incorporate a keylogger that's deployed via a lean Nestdoor variation as well as a specialized information stealer and a SOCKS5 proxy that shows overlaps with a comparable proxy tool utilized by the Lazarus Group in the 2021 ThreatNeedle campaign.
"The Andariel group is one of the threat groups that are highly active in Korea, alongside the Kimsuky and Lazarus groups," ASEC added. "The group initially launched attacks to acquire information related to national security, but now they have also been attacking for financial gain."
The revelation comes as ASEC also discovered assaults targeting South Korean military and semiconductor manufacturing organizations using a virus nicknamed SmallTiger since at least November 2023. Some of these incursions have been identified to exploit SmallTiger to transmit a known Golang backdoor dubbed DurianBeacon, which has been previously linked to Andariel.
