Andariel’s Dora RAT, DurianBeacon Malware Threaten S. Korean Institutions

Andariel Hackers Strike South Korean Institutes With Fresh Dora RAT Malware

Published on June 10th, 2024

The infamous North Korean hacking group, Andariel, is back in the news.

This time, they’ve set their sights on South Korean institutions, including educational institutes, manufacturers, and construction firms.

Their weapon of choice? A brand new, custom-made malware strain dubbed Dora RAT.

Security researchers at AhnLab Security Intelligence Center (ASEC) discovered Andariel’s latest campaign.

The attack utilizes a multi-pronged approach, with Dora RAT acting as the centerpiece.

This Golang-based backdoor grants attackers remote access to compromised systems, allowing them to steal sensitive data and potentially wreak havoc on internal networks.

Emergence Of Dora RAT In Andariel’s Attacks

The South Korean cybersecurity firm AhnLab Security Intelligence Center (ASEC) recently reported that the North Korea-linked threat actor Andariel has introduced a new Golang-based backdoor named Dora RAT in its campaigns.

These attacks primarily target educational institutions, manufacturing firms, and construction businesses across South Korea.

Modus Operandi Of The Attacks

AhnLab’s report highlights the utilization of keyloggers, infostealers, and proxy tools alongside the Dora RAT backdoor.

These malicious tools enable the threat actor to control compromised systems and pilfer sensitive data effectively.

Exploiting Vulnerabilities With Apache Tomcat

Andariel leverages a vulnerable Apache Tomcat server to propagate the malware.

The specific server identified in these attacks ran an outdated 2013 version of Apache Tomcat, rendering it susceptible to various known vulnerabilities exploited by the threat actor.

Andariel: An Established Threat Actor

Operating since at least 2008, Andariel, also known as Nickel Hyatt, Onyx Sleet, and Silent Chollima, is an advanced persistent threat (APT) group affiliated with North Korea’s strategic interests.

As a sub-cluster of the Lazarus Group, Andariel employs diverse tactics such as spear-phishing and watering hole attacks to infiltrate targeted networks.

Malware Arsenal And Tactics

While AhnLab didn’t provide extensive details on the attack chain, it identified the deployment of a variant of Nestdoor, a previously known malware.

This variant possesses capabilities like remote command execution, file manipulation, and keystroke logging.

Additionally, the attacks introduced the Dora RAT backdoor, a newly discovered threat with basic functionalities for facilitating reverse shell connections and file transfers.

Sophisticated Signature And Malware Delivery

A notable aspect of these attacks is the use of a valid certificate to sign and distribute the Dora RAT malware.

Some variants of Dora RAT were confirmed to be signed with certificates from a reputable United Kingdom software developer.

Furthermore, the attacks incorporate a variety of malware strains, including a keylogger deployed through a lightweight Nestdoor variant and a SOCKS5 proxy tool with similarities to Lazarus Group’s previous campaigns.

Active Threat Landscape In Korea

ASEC underscores Andariel’s prominence among other active threat groups in South Korea, such as Kimsuky and Lazarus.

Initially focused on acquiring information related to national security, Andariel has expanded its objectives to include financial gain.

Ongoing Threats And Strategic Targets

In addition to the Dora RAT-related attacks, ASEC disclosed separate incidents targeting South Korean defense and semiconductor manufacturing entities.

These intrusions involve the use of a malware named SmallTiger, associated with Andariel, to deliver another Golang backdoor known as DurianBeacon.

By raising awareness about these evolving threats, ASEC aims to empower organizations to enhance their cybersecurity posture and mitigate the risks posed by sophisticated threat actors like Andariel.

Golang’s Rise In Malware Development

Golang (Go) is increasingly favored by cybercriminals for malware creation. Here’s why:

  • Cross-Platform Compatibility: Golang code can be compiled to run on Windows, macOS, and Linux without major modifications. This saves attackers time and effort, allowing them to target a wider range of systems with a single codebase.
  • Simplicity and Readability: Golang is known for its clean syntax and ease of use. This can make it easier for even less experienced programmers to write malware compared to some other languages.
  • Powerful Features: Golang offers features like concurrency and garbage collection that can be leveraged for complex malware functionalities.
  • Potential to Bypass Detection: Golang malware can be compiled into static binaries, making it harder for traditional antivirus software to identify them based on code signatures.

Challenges of Defending Against Golang Malware:

  • Newer Threat: Compared to languages like C++, Golang is a relatively new player in the malware scene. Security researchers and antivirus solutions are still catching up to the specific nuances of Golang-based malware.
  • Static Binaries: As mentioned earlier, static binaries can evade signature-based detection. This makes it crucial for security solutions to rely on behavioral analysis and other techniques to identify malicious activity.
  • Increased Complexity: The growing popularity of Golang means attackers are likely to develop more sophisticated malware with this language. This requires continued improvement and adaptation of defense mechanisms.

Advanced Persistent Threats (APTs) Explained

An Advanced Persistent Threat (APT) is a sophisticated cyber attack campaign carried out by highly skilled attackers, often backed by nation-states or well-funded organizations.

These attacks target specific organizations for an extended period, aiming to steal sensitive data, disrupt operations, or achieve other malicious goals.

Here are some key characteristics of APTs:

  • Advanced Techniques: APTs employ a variety of techniques to infiltrate networks, bypass traditional security measures, and maintain persistence. These may include social engineering, zero-day exploits, custom malware, and advanced tools for reconnaissance and privilege escalation.
  • Long-Term Presence: Unlike traditional cyberattacks that aim for a quick “smash and grab,” APTs establish a foothold within a network and remain undetected for months or even years. This allows them to gather extensive intelligence and exfiltrate large amounts of data.
  • Targeted Attacks: APTs are highly targeted, meaning they meticulously research their victims and tailor their attacks to specific vulnerabilities and objectives. This makes them more difficult to detect and prevent.

Here are some of the common motivations behind APT attacks:

  • Espionage: Stealing intellectual property, government secrets, or other sensitive information is a primary goal for many APTs.
  • Disruption: Some APTs aim to disrupt critical infrastructure or operations, causing economic damage or creating chaos.
  • Financial Gain: While less common, some APTs target organizations for financial gain, using stolen data or deploying ransomware.

Here’s how organizations can defend against APTs:

  • Security Awareness Training: Educating employees about social engineering tactics and phishing attempts is crucial to prevent attackers from gaining a foothold.
  • Multi-Layered Security: Implementing a layered security approach that combines firewalls, intrusion detection systems, endpoint protection, and data encryption helps to mitigate various attack vectors.
  • Vulnerability Management: Regularly patching vulnerabilities in software and operating systems is essential to close potential entry points for attackers.
  • Threat Intelligence: Staying informed about current APT tactics and techniques allows organizations to adjust their defenses proactively.
  • Incident Response Planning: Having a well-defined incident response plan helps organizations react swiftly and effectively if an APT attack occurs.