North Korean Threat Actor Deploys New Golang-Based Backdoor Targeting South Korean Sectors
Recent reports indicate that the North Korea-affiliated threat actor known as Andariel has introduced a new backdoor, identified as Dora RAT, into their cyberattack arsenal. This malware has been employed in attacks that primarily target educational institutions, manufacturing companies, and construction firms throughout South Korea.
AhnLab Security Intelligence Center (ASEC) detailed that the attacks utilized a combination of advanced tools, including keyloggers, information stealers, and proxy applications, in conjunction with the backdoor. According to ASEC, "These malware variants were used to gain control and exfiltrate sensitive data from compromised systems." The reported tactics indicate a sophisticated approach typically associated with advanced persistent threat (APT) groups.
The vulnerability exploited during these attacks arose from the use of an outdated version of Apache Tomcat, specifically the 2013 variant, which presents several security weaknesses. ASEC highlighted that this vulnerable server was instrumental in distributing the malware.
Andariel, operating under various aliases such as Nickel Hyatt and Silent Chollima, has been active in supporting North Korean strategic initiatives since at least 2008. As a sub-group of the notorious Lazarus Group, Andariel is known for employing tactics such as spear-phishing and exploiting known software vulnerabilities to gain initial access before proliferating malware to targeted networks.
While ASEC did not provide exhaustive details on the specific attack chain, they noted the involvement of a variant of Nestdoor malware. This capability allows the adversary to issue commands from a remote server, facilitating file transfers, activating reverse shells, capturing clipboard data, and logging keystrokes.
Dora RAT, described as a "simple malware strain," adds another layer of complexity, featuring functionalities for reverse shell and file transfer operations. ASEC reported that some variants of Dora RAT were distributed with a valid certificate obtained from a UK software developer, suggesting an effort to bypass detection mechanisms typically employed against malware.
The attacks also included a dedicated keylogger, deployed through a minimal version of the Nestdoor malware, alongside an information-stealing tool. Furthermore, a SOCKS5 proxy used in the attack shares characteristics with a similar tool previously identified in a 2021 campaign by the Lazarus Group.
ASEC’s analysis categorizes Andariel as one of the most active cyber threat groups in Korea, rivaling other groups like Kimsuky and Lazarus. Initially focused on gathering intelligence tied to national security, Andariel’s motives have now also expanded to include financial gain.
In parallel with these developments, ASEC has reported ongoing intrusions targeting South Korean defense and semiconductor sectors involving a different malware, SmallTiger. Some of these incidents have connected SmallTiger to the introduction of DurianBeacon, another Golang-based backdoor previously linked to Andariel.
In summary, the activities attributed to Andariel represent a significant threat to South Korean entities, utilizing advanced techniques that fall within the MITRE ATT&CK framework, including initial access through exploit vulnerabilities, persistence through malware deployment, and data exfiltration. As such, vigilant cybersecurity practices remain critical for organizations operating within this threat landscape.
