Summary:
The North Korean linked threat actor Andariel has been using a new Golang-based backdoor called Dora RAT to target educational institutions, manufacturing firms, and construction businesses in South Korea. The AhnLab Security Intelligence Center reported that Andariel has deployed a variety of malware, including keyloggers, infostealers, and proxy tools, to control and exfiltrate data from infected systems.

The attacks leverage a vulnerable 2013 version of the Apache Tomcat server to distribute the malware, exploiting known vulnerabilities in the outdated software. Andariel, a sub-cluster within the Lazarus Group, has been active since at least 2008. This advanced persistent threat (APT) group employs tactics such as spear-phishing, watering hole attacks, and the exploitation of software vulnerabilities to gain initial access to targeted networks. ASEC detailed the attack chain involving a variant of the Nestdoor malware, which includes capabilities for receiving and executing commands from a remote server, uploading and downloading files, launching a reverse shell, and capturing clipboard data and keystrokes. The malware can also act as a proxy, facilitating further network exploitation.

Security Officer Comments:
The newly identified Dora RAT is a simpler malware strain compared to Nestdoor but supports critical functionalities such as reverse shell and file transfer capabilities. Notably, some Dora RAT strains were signed with a valid certificate from a UK software developer, enhancing their ability to evade detection. In addition to Dora RAT and Nestdoor, Andariel used other malware strains, including a keylogger installed via a lightweight Nestdoor variant, a dedicated information stealer, and a SOCKS5 proxy. This proxy tool shows similarities to those used in the Lazarus Group's 2021 ThreatNeedle campaign, highlighting the shared tactics and tools within the broader group.

ASEC noted that Andariel, alongside other North Korean threat groups like Kimsuky and Lazarus, is highly active in South Korea. While Andariel initially focused on obtaining information related to national security, its activities have increasingly aimed at financial gain, reflecting a shift in objectives over time.

Suggested Corrections:

IOCs:
https://asec.ahnlab.com/en/66088/

Organizations can make APT groups’ lives more difficult. Here’s how:

• Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
• Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
• Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
• Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.

Link(s):
https://thehackernews.com/2024/06/andariel-hackers-target-south-korean.html