An undisclosed South Korean enterprise resource planning (ERP) vendor's product update server has been discovered to be exploited to deploy a Go-based backdoor nicknamed Xctdoor.
The AhnLab Security Intelligence Center (ASEC), which spotted the assault in May 2024, did not link it to a recognized threat actor or organization, but observed that the methods coincide with those of Andariel, a sub-cluster of the famed Lazarus organization.
The parallels derive from the North Korean adversary's earlier use of the ERP solution to disseminate malware like HotCroissant – which is identical to Rifdoor – in 2017 by embedding a malicious code into a software update tool.
In the current event investigated by ASEC, the identical executable is reported to have been tampered with to run a DLL file from a specified location utilizing the regsvr32.exe process as opposed to launching a downloader.
The DLL file, Xctdoor, is capable of capturing system information, including keystrokes, screenshots, and clipboard content, and executing instructions supplied by the threat actor.
"Xctdoor communicates with the [command-and-control] server using the HTTP protocol, while the packet encryption employs the Mersenne Twister (MT19937) algorithm and the Base64 algorithm," ASEC claimed.
Also employed in the attack is a virus named XcLoader, which acts as an injector malware responsible for injecting Xctdoor into legitimate processes (e.g., "explorer.exe").
ASEC stated it also found incidents where inadequately protected web servers had been exploited to install XcLoader since at least March 2024.
The finding comes as the additional North Korea-linked threat actor known to as Kimusky has been discovered exploiting a previously undocumented backdoor dubbed HappyDoor that has been put to use as long back as July 2021.
Attack chains spreading the malware employ spear-phishing emails as a starting point to distribute a compressed file, which includes an obfuscated JavaScript or dropper that, when launched, generates and executes HappyDoor alongside a decoy file.
HappyDoor, a DLL file run via regsvr32.exe, is equipped to interact with a remote server via HTTP and assist information theft, download/upload data, as well as update and terminate itself.
It also follows a "massive" malware distribution campaign orchestrated by the Konni cyber espionage group (aka Opal Sleet, Osmium, or TA406) targeting South Korea with phishing lures impersonating the national tax service to deliver malware capable of stealing sensitive information, security researcher Idan Tarab said.
