AhnLab’s Security Intelligence Center (ASEC) reports Andariel-led APT activity targeting domestic Korean firms across manufacturing, construction, and education, employing backdoors, keyloggers, info stealers, and proxy tools, with Nestdoor and other malware observed. The operation included web-server compromise (Apache Tomcat) to install backdoors/proxies, along with web shells in some cases, and several Go-based backdoors such as Dora RAT, often signed with valid certificates. #Nestdoor #TigerRAT #DoraRAT #Andariel #Lazarus #OpenVPN #Log4Shell #ApacheTomcat #VMwareHorizon
Keypoints
- Andariel group targeted domestic Korean organizations in manufacturing, construction, and education.
- Attackers used backdoors, keyloggers, infostealers, and proxy tools, with Nestdoor frequently involved.
- Malicious code was delivered via compromised web servers running Apache Tomcat, exploiting vulnerabilities to install backdoors and proxies.
- Nestdoor, Dora RAT, and other malware variants were observed; some components were signed with valid certificates.
- Dora RAT and related tools use process injection and in-memory loading, with reverse-shell/file-ops capabilities.
- Proxy tools (including Lazarus-linked and open-source Socks5 proxies) were a notable component of the toolkit.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Attacked a web server running Apache Tomcat; “the attacker attacked the web server and installed backdoors and proxy tools.” [ ‘the attacker attacked the web server and installed backdoors and proxy tools.’ ]
- [T1505.003] Web Shell – Web shells observed in some cases; “Other cases where the web shell was identified together with the malware were also found.” [ ‘Other cases where the web shell was identified together with the malware were also found.’ ]
- [T1090] Proxy – Attackers used proxy tools to route traffic; “Most of the additional malicious codes installed by the attacker were proxy tools.” [ ‘Most of the additional malicious codes installed by the attacker were proxy tools.’ ]
- [T1071.001] Web Protocols (C2 over HTTP/HTTPS) – Malware communicated with C2 servers; “C&C server” communications observed. [ ‘communicates with the C&C server.’ ]
- [T1055] Process Injection – Dora RAT components are injected into explorer.exe via version.dll; “version.dll… injects it into the explorer process.” [ ‘version.dll decrypts the data included in the internal resources, i.e. Dora RAT, and injects it into the explorer process.’ ]
- [T1116] Code Signing – Malware signed with a valid certificate; “signed with a valid certificate” and “open German software development company” cited. [ ‘signed with a valid certificate from a German software development company.’ ]
- [T1027] Obfuscated/Compressed Files and Information – Binaries obfuscated to hinder analysis; “obfuscating the binary to interfere with analysis.” [ ‘obfuscating the binary to interfere with analysis.’ ]
- [T1053.005] Scheduled Task – Persistence via Task Scheduler; “persistence by registering itself with the task scheduler.” [ ‘maintains persistence by registering itself with the task scheduler.’ ]
Indicators of Compromise
- [IP addresses] – C2 communications and attack infrastructure: 45.58.159[.]237:443, 4.246.149[.]227:1443, 209.127.19[.]223:443, and 206.72.205[.]117:443
- [Domains] – Command and control domains: kmobile.bestunif[.]com:443
- [File hashes] – Malware components identified by MD5: 7416ea48102e2715c87edd49ddbd1526, a2aefb7ab6c644aa8eeb482e27b2dbc4, e7fd7f48fbf5635a04e302af50dfb651, 33b2b5b7c830c34c688cf6ced287e5be, 4bc571925a80d4ae4aab1e8900bf753c, 951e9fcd048b919516693b25c13a9ef2, fee610058c417b6c4b3054935b7e2730, afc5a07d6e438880cea63920277ed270, d92a317ef4d60dc491082a2fe6eb7a70, 5df3c3e1f423f1cce5bf75f067d1d05c, 094f9a757c6dbd6030bc6dae3f8feab3, 468c369893d6fc6614d24ea89e149e80, 5e00df548f2dcf7a808f1337f443f3d9
- [File names] – Nestdoor-related: nest.exe, psfile.exe, and 2 more items (OpenVPN installer components like openvpnsvc.exe, FirewallAPI.dll)