Article Details
Scrape Timestamp (UTC): 2024-07-02 12:56:03.527
Source: https://www.theregister.com/2024/07/02/korean_erp_backdoor_malware_attack/
Original Article Text
Click to Toggle View
Baddies hijack Korean ERP vendor's update systems to spew malware. Notorious 'Andariel' crew takes a bite of HotCroissant backdoor for fresh attack. A South Korean ERP vendor's product update server has been attacked and used to deliver malware instead of product updates, according to local infosec outfit AhnLab. A Monday post by AhnLab's Security intelligence Center (ASEC) didn't name the ERP vendor, but noted the attacker's tactics resemble those used by the North-Korea-linked Andariel group – a subsidiary of the Lazarus Group. ASEC's researchers wrote that Andariel has form installing backdoors named HotCroissant and Riffdoor, and has been observed targeting ERP systems by altering ClientUpdater.exe so it delivers evil updates. In the recent incident detected by ASEC, attackers inserted a routine to execute a DLL from a specific path using the Regsvr32.exe process. The Korean researchers named that DLL Xctdoor and rated the malware as "capable of stealing system information and executing commands from the threat actor." They suggested that's likely possible due to an attack on an ERP's update server. "Threat actors can control infected systems and exfiltrate information through this malware," noted ASEC. "The ultimately executed Xctdoor is a backdoor that transmits basic information such as the username, computer name, and the malware's PID to the C&C server and can execute commands received from it," the researchers wrote. "Furthermore, it supports information theft functions such as screenshot capture, keylogging, clipboard logging, and transmitting drive information." Andariel primarily attacks financial institutions, government entities and defense contractors, often seeking to steal funds or sensitive information, but has also been known to branch out to healthcare and other areas. The latest attacks targeted the defense sector, but came within months of attacks on other industries including manufacturing,. "Users must be particularly cautious against attachments in emails from unknown sources and executable files downloaded from web pages," urged ASEC. "Security administrators must enhance monitoring of asset management programs and apply patches for any security vulnerabilities in the programs."
Daily Brief Summary
A South Korean ERP vendor's update server was compromised to distribute malicious software.
Security firm AhnLab identified the tactics as similar to those used by the North Korea-linked Andariel group, known for its malware deployment methods.
The malware, named Xctdoor, was installed via modified update files and can steal system information and execute remote commands.
Xctdoor is a backdoor capable of transmitting user and computer identifiers to a command and control server and performing actions like screenshot capture, keylogging, and clipboard logging.
This recent cyber attack targeted primarily the defense sector but follows recent attacks on manufacturing and other industries.
ASEC emphasized the need for heightened vigilance regarding email attachments and downloaded executables, alongside improved monitoring and patching of vulnerabilities in asset management programs.