Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Geo Focus: Asia
Andariel Group Using Software Flaws to Target South Korea
Pyongyang Has Deployed Multiple Groups to Attack the South Korean Defense IndustryNorth Korean cyberespionage actors are weaponizing vulnerabilities in an enterprise resource platform and legacy Windows web servers to deploy information-stealing malware into the networks of South Korean defense and manufacturing companies.
See Also: Would You Rather be Cloud Smart or Cloud First in Government?
Researchers at South Korea's AhnLab Security Intelligence Center said Monday that Andariel Group, an offshoot of the North Korean Lazarus Group, targeted the update server of a South Korean ERP solution to take control of the victim company's systems and also exploited vulnerabilities in version 8.5 of Windows IIS web servers to infect and steal data from South Korean organizations.
In the case of the vulnerable ERP platform, the threat actors possibly gained access to the victim company's systems prior to weaponizing the update server to infect other devices connected to the corporate network. AhnLab said the hackers used the Regsvr32.exe
process on an infected machine to execute malware they track as Xctdoor, based on keywords such as "XctMain" used by the threat group during the malware development process.
The backdoor malware, created in DLL format and developed in the Go scripting language, injects itself into Windows processes and creates a shortcut file named MicrosoftEdge.lnk
in the startup folder to run after a reboot. The shortcut file then uses the Regsvr32.exe
process to execute an injector malware that AhnLab tracks as XcLoader.
The firm said the Andariel Group also exploited vulnerabilities in decade-old Windows IIS web servers running version 8.5 to inject an XcLoader malware variant written in C language. The malware ultimately injects the Xcdoor backdoor, which captures system information such as screenshots, keylogs, clipboard data and drive information and then executes commands issued by threat actors.
AhnLab's report arrives just weeks after South Korea's National Police Agency said Andariel Group compromised the corporate account of an employee at a domestic company that maintained the server of a defense industry partner. SNP said the threat group used the privileged access since October 2022 to inject malicious code into a web server and exfiltrate defense industry data.
The police agency also accused the Lazarus Group, also tracked as Hidden Cobra and linked to Pyongyang's Reconnaissance General Bureau, of hacking into the internal networks of at least six Korean defense companies since November 2022 and using malware to exfiltrate defense industry data to an overseas cloud server.
According to AhnLab, this is not the first time Andariel Group or related North Korean threat groups have exploited software supply chain vulnerabilities to infect organizations and exfiltrate data considered geopolitically significant for the country's authoritarian regime.
Both Lazarus and Andariel have used a backdoor malware tracked as HotCroissant and Rifdoor since November 2015 to victimize targeted organizations and steal sensitive corporate data. In 2017, threat actors exploited a South Korean ERP solution and inserted a malicious routine in its update program to inject HotCroissant into systems connected to the same network.
Security firm Cisco Talos said Lazarus Group also exploited a vulnerability in Zoho's ManageEngine ServiceDesk application tracked as CVE-2022-47966 to target internet backbone infrastructure and healthcare entities in Europe and the United States (see: Lazarus Group Debuts Tiny Trojan for Espionage Attacks).
Avast Threat Labs also found North Korean hacker group Kimsuky exploiting a flaw within an update mechanism of Indian antivirus vendor eScan to distribute the GuptiMiner data-stealing malware to infected systems (see: North Korean Hackers Used Antivirus Updates to Spy on Firms).
Rising instances of North Korean cyberattacks exploiting supply chain vulnerabilities in recent days forced South Korea's intelligence agency to summon cybersecurity industry representatives to a meeting that Korea Information Protection Industry Association Chairman Cho Young-chul described as "unusual" because, he said, it is not common for the intelligence service to interact directly with the information security community. He called the meeting "a pleasant surprise."