Researchers at the AhnLab Security Intelligence Center (ASEC) have recently discovered new cyber attacks conducted by the Andariel APT group, a North Korean advanced persistent threat actor. The targets of these attacks included Korean corporations, educational institutions, and organizations in the manufacturing and construction sectors. The attackers employed a variety of malware and tools, such as keyloggers, infostealers, and proxy tools, along with backdoors to control and extract data from compromised systems.
One of the key malware strains used in these attacks was Nestdoor, a remote access trojan (RAT) that has been active since May 2022. This RAT allows threat actors to execute commands remotely to control infected systems. Nestdoor has been involved in various Andariel attacks, including those exploiting the Log4Shell vulnerability in VMware Horizon products. The malware is developed in C++ and includes functionalities such as file upload/download, reverse shell, command execution, keylogging, clipboard logging, and proxy capabilities.
In addition to Nestdoor, the Andariel APT group has been developing new malware strains for each campaign. One recent discovery is the Dora RAT, which is designed to support reverse shell and file transfer operations. This malware exists in two forms: a standalone executable and an injected process within “explorer.exe.” To make it appear legitimate, the Dora RAT has been signed with a valid certificate from a UK software developer.
The attackers also utilized other malware strains, including a keylogger/cliplogger that logs keystrokes and clipboard contents, a stealer designed to exfiltrate files from the system, and custom-created and open-source proxy tools. Some of these proxy tools were similar to those previously used by the Lazarus group in past attacks.
The Andariel APT group, which is part of the larger Lazarus umbrella, has transitioned from targeting national security information to pursuing financial gains. Recent reports from the South Korean National Police Agency revealed a targeted campaign by the Andariel APT aimed at stealing the country’s defense technology. The attackers gained access to defense industry data by compromising an employee account and injecting malicious code into a defense industry partner’s servers.
To protect against such cyber attacks, users are advised to exercise caution with email attachments from unknown sources and executable files from websites. Security administrators should ensure that software, including operating systems and browsers, is regularly patched and updated to mitigate the risk of malware infections.
In conclusion, the Andariel APT group continues to pose a significant threat to organizations in South Korea and beyond. By staying vigilant and implementing robust cybersecurity measures, businesses and institutions can better defend against these malicious activities and safeguard their sensitive data and systems.