The North Korea-linked threat actor known as Andariel has been observed deploying a new Golang-based backdoor, dubbed Dora RAT, to target educational institutions, manufacturing firms, and construction businesses in South Korea.
Andariel, also referred to as Nicket Hyatt, Onyx Sleet, and Silent Chollima, has been operating on behalf of North Korea's strategic interests since at least 2008. The group is believed to be a part of the notorious Lazarus hacker group accused of multiple large-scale cyber operations, including cryptocurrency thefts.
According to a report by the AhnLab Security Intelligence Center (ASEC), Andariel's attacks have utilized keylogger, infostealer, and proxy tools alongside the Dora RAT backdoor.
“The threat actor probably used these malware strains to control and steal data from the infected systems,” ASEC said.
The attacks were primarily carried out by exploiting a vulnerable Apache Tomcat server to distribute the malware. The targeted systems were running a 2013 version of Apache Tomcat, which is known to be susceptible to multiple vulnerabilities. ASEC noted that the malware strains used in these attacks have been identified in previous Andariel cases, with the most notable being the Nestdoor backdoor.
Other observed techniques included the addition of web shells and the use of proxy tools reminiscent of those from the Lazarus group, although the files were not identical to those previously seen.
Nestdoor, a RAT malware strain detected since at least May 2022, enables the threat actor to control the infected system by receiving commands. The malware has been consistently observed in Andariel's attacks.
The newly documented Dora RAT has been described as a “simple malware strain” capable of supporting reverse shell and file download/upload functionalities.
According to ASEC, the attackers have signed and distributed the Dora RAT malware using a valid certificate from a UK-based software developer.
