Threat Research

Outdoor Malware Andariel Targets Korean Companies

Ahnlab

ASEC reports that Andariel-linked actors targeted a Korean ERP update mechanism and related web servers to spread Xctdoor and XcLoader backdoors, affecting defense and manufacturing sectors. The operation reused techniques from past campaigns (ERP update tampering and Go/C-language injectors) and leveraged Go-based XcLoader to inject Xctdoor, with Ngrok noted for remote access setup. #Andariel #Xctdoor #XcLoader #HotCroissant #Rifdoor #Lazarus #Kimsuky #Ngrok

Keypoints

  • Andariel-linked activity mirrors historical Rifdoor/HotCroissant campaigns and targets Korean defense and manufacturing sectors.
  • Past case (2017): malware inserted into ERP updater (ClientUpdater.exe) to propagate via the ERP update server.
  • Recent ERP case (May 2024): a DLL is loaded via Regsvr32 to deploy Xctdoor, replacing downloader-only tactics.
  • Xctdoor is a backdoor that gathers system info, can execute commands, and supports screenshot, keylogging, clipboard logging, and drive-info exfiltration.
  • XcLoader acts as an injector (Go and C variants observed) that loads roaming.dat into explorer.exe and related processes.
  • Web server attacks (March 2024) exploited Windows IIS 8.5 to install XcLoader and potentially deploy web shells for command execution.

MITRE Techniques

  • [T1117] Regsvr32 – Used to load a DLL from a specific path via Regsvr32.exe; “a routine was simply inserted to execute a DLL from a specific path using the Regsvr32.exe process.”
  • [T1055] Process Injection – Xctdoor injects into processes such as ‘taskhost.exe’, ‘taskhostex.exe’, ‘taskhostw.exe’, and ‘explorer.exe’.
  • [T1105] Ingress Tool Transfer – The malware downloads and executes additional payloads from external sources; “downloading and executing additional payloads from an external source.”
  • [T1071.001] Web Protocols – C2 communication uses HTTP; “Xctdoor communicates with the C&C server using the HTTP protocol.”
  • [T1082] System Information Discovery – Backdoor transmits username, computer name, and PID; “transmits basic information such as the username, computer name, and the malware’s PID.”
  • [T1113] Screen Capture – Screen capture is supported by Xctdoor; “screenshot capture” appears among its functions.
  • [T1056] Input Capture – Keylogging capability is present; “keylogging” is listed as an information theft function.
  • [T1115] Clipboard Data – Clipboard logging capability is present; “clipboard logging” is listed as an information theft function.
  • [T1027] Obfuscated/Compressed Files and Information – Xctdoor’s communications and payloads are encoded/encrypted (Base64) as part of its packet handling; “packet encryption employs the Mersenne Twister (mt19937) algorithm and the Base64 algorithm.”

Indicators of Compromise

  • [MD5] 235e02eba12286e74e886b6c99e46fb7 – Modified ERP update program – past case (ClientUpdater.exe)
  • [MD5] 396bee51c7485c3a0d3b044a9ceb6487 – HotCroissant – Past Case (***Kor.exe)
  • [MD5] ab8675b4943bc25a51da66565cfc8ac8 – Modified ERP update program – latest case (ClientUpdater.exe)
  • [MD5] f24627f46ec64cae7a6fa9ee312c43d7 – Modified ERP update program – latest case (ClientUpdater.exe)
  • [File Name] ClientUpdater.exe – Malware inserted into ERP update program to propagate from the update server
  • [File Name] roaming.dat – Injector payload path used by XcLoader
  • [File Name] settings.lock – Injector component used by XcLoader to load roaming.dat
  • [URL] http://www.jikji.pe.kr/xe/files/attach/binaries/102/663/image.gif – Download URL for HotCroissant component
  • [IP] 195.50.242.110:8080 – C2 server address associated with HotCroissant
  • [Domain] beebeep.info/index.php – C2 domain associated with Xctdoor
  • [Software/Tool] Ngrok – Ngrok usage observed in infected systems for remote access (RDP)

Read more: https://asec.ahnlab.com/en/67558/