Home Innovation Cyber Security Andariel hackers use new Dora ...
Cyber Security
Business Fortune
03 June, 2024
Andariel, a North Korean threat actor, has recently used the new Dora RAT backdoor, developed with Golang, to target South Korean manufacturing, construction, and educational institutions.
According to a recent study by AhnLab Security Intelligence Center (ASEC), the attacks used various tools like proxy tools, infostealers, keyloggers, and a backdoor. The malware was probably used by the attacker to take control of and steal data from the compromised systems.
The South Korean cybersecurity company said that the system was using the 2013 version of Apache Tomcat, which made it vulnerable to many threats. The attacks are typified by the use of a vulnerable Apache Tomcat server to disseminate the malware.
Andariel is a group that has been active since 2008 and works for North Korea. APT is a well-known threat that is also referred to as Nicket Hyatt, Onyx Sleet, or Silent Chollima.
The adversary is part of the Lazarus Group, which is known for using spear-phishing, watering hole attacks, and software vulnerabilities to infect targeted networks with malware.
ASEC mentioned the use of a malware called Nestdoor. This malware can upload and download files, capture clipboard data and keystrokes, and act as a proxy. However, ASEC did not provide details about how the malware attack was carried out.
The attacks also use Dora RAT, a previously unreported backdoor that is referred to as a "simple malware strain" because it supports reverse shells and file uploads and downloads.
Malware, including a keylogger and proxy tool, was installed by the attacks. These strains were distributed along with Nestdoor, an information-stealing tool, and a similar tool used by the Lazarus Group in the 2021 ThreatNeedle campaign.