A South Korean enterprise resource planning (ERP) vendor’s update server was compromised to distribute a Go-based backdoor named Xctdoor.
Discovered by AhnLab Security Intelligence Center (ASEC) in May 2024, the attack hasn’t been attributed to any specific threat actor or group. However, ASEC noted similarities with tactics used by Andariel, a sub-group of the notorious Lazarus Group.
The connection traces back to North Korean actors who previously exploited ERP software to deploy malware such as HotCroissant (similar to Rifdoor) in 2017 by embedding malicious code into update processes.
In this recent incident analyzed by ASEC, the compromised executable was altered to execute a DLL file via regsvr32.exe instead of a standard downloader. This DLL file, Xctdoor, is capable of collecting system information, intercepting keystrokes, capturing screenshots, and executing commands directed by the attacker.
“Xctdoor communicates with the command-and-control server using HTTP, with packet encryption employing the Mersenne Twister (MT19937) and Base64 algorithms,” according to ASEC.
The attack also involved a malware named XcLoader, which injects Xctdoor into legitimate processes like “explorer.exe.” ASEC has identified instances since March 2024 where poorly secured web servers were compromised to deploy XcLoader.
Meanwhile, another North Korean-linked threat actor known as Kimusky has been observed using a previously undisclosed backdoor called HappyDoor since July 2021. This malware, distributed via spear-phishing emails containing obfuscated JavaScript or droppers, communicates over HTTP using regsvr32.exe to facilitate data theft, file transfer, and self-update or termination.
Idan Tarab, a security researcher, highlighted a significant malware distribution campaign by the Konni cyber espionage group (also known as Opal Sleet, Osmium, or TA406), targeting South Korea with phishing emails impersonating the national tax service to deliver malware designed to steal sensitive information.