Analysis of APT attack cases targeting domestic companies using Dora RAT (Andariel Group)

AhnLab SEcurity intelligence Center (ASEC) recently confirmed cases of APT attacks by the Andariel group targeting domestic companies and institutions. The organizations identified as targets of the attack were domestic manufacturing companies, construction companies, and educational institutions, and backdoors as well as keyloggers, infostealers, and proxy tools were used in the attacks. It is believed that the attacker could have used these malicious codes to control the infected system and steal the data existing in the system.

In this attack, malicious codes identified in past attacks by the Andariel group were also confirmed. A representative example is Nestdoor, a backdoor malware that will be discussed below, and there have also been confirmed cases of web shells. In addition, although it is not the same file, the proxy tool identified in past attacks by the Lazarus group was used together.


1. Attack circumstances

Among the various circumstances discovered during the attack, a directly confirmed attack case was one in which malicious code was distributed by attacking a web server running an Apache Tomcat server. Since the system in question was running Apache Tomcat, which was created in 2013, various vulnerability attacks can be used. The attacker attacked the web server and installed backdoors and proxy tools.

Figure 1. Malware installed through Apache Tomcat


2. Malicious code analysis

2.1. Nestdoor

Nestdoor is a RAT malware that has been identified since at least May 2022. It can control an infected system by receiving commands from the attacker, and is continuously confirmed in attack cases by the Andariel group. Here, it is classified by Nestdoor based on the names collected for classification.

In June 2022, the U.S. CISA analyzed and disclosed cases of attacks that install malware by exploiting the Log4Shell vulnerability (CVE-2021-44228) of VMware Horizon products. Among these attack cases, there are malware classified as “Unidentified RAT” and Loader malware that executes it in memory. [1] [2]

Malware classified as “Unidentified RAT” was developed in C++ and can perform malicious actions such as file upload/download, reverse shell, and command execution by receiving commands from the attacker. In addition, it provides various functions such as keylogging, clipboard logging, and proxy, and is characterized by obfuscating the binary to interfere with analysis.

For reference, ASEC also disclosed an attack case in May 2022 in which the Andariel group, known as a subgroup of the Lazarus group, distributed TigerRAT by exploiting the Log4Shell vulnerability of the VMware Horizon product. [3] Additionally, in early 2023, a case was confirmed where Nestdoor was used in an attack together with TigerRAT, and it shared the same C&C server as TigerRAT. In other words, Nestdoor has been used together with TigerRAT in various attacks, including attacks targeting domestic companies and attacks exploiting Log4Shell vulnerabilities.

Although the specific distribution route has not been confirmed, a case of distribution disguised as OpenVPN was confirmed in early 2024. Inside the compressed file, there is malware disguised as an installation file as follows. If you run the “OpenVPN Installer.exe” file, “FirewallAPI.dll”, a launcher malware located in the same path, is loaded and ultimately placed in the “Resource” folder. The existing Nestdoor malware “openvpnsvc.exe” is executed. Nestdoor maintains persistence by registering itself with the task scheduler and communicates with the C&C server.

Figure 2. Malware disguised as OpenVPN

The Nestdoor identified in this attack is similar to the OpenVPN case, but there are differences compared to past types. For example, the command numbers used in the C&C communication process have changed and fewer functions are supported. However, the overall structure, including the obfuscation method and initial routine, is similar. Of course, there is no difference in that it provides the same basic functions such as file operations and reverse shell, allowing an attacker to control the infected system.

Figure 3. Recently confirmed Nestdoor obfuscation routines and reverse shell commands


2.2. Dora RAT

Recently, the Andariel group has been creating and using new backdoor malware for each attack campaign, and most of them use the Go language. The new malware identified this time was also developed in the Go language and was named Dora RAT by the attacker.

Figure 4. Malware developed under the name Dora RAT

Dora RAT is a relatively simple type of malware that supports reverse shell and file download/upload functions. There are two types of Dora RAT: a type that operates as a standalone executable file, and a type that operates by being injected into the explorer, that is, the explorer.exe process.

“spsvc.exe” is an executable file in WinRAR SFX format, and inside it contains the normal program “OneDriverStandaloneUpdate.exe” and the injector malware “version.dll”. When running, if they are installed in the “%APPDATA%” path and “OneDriverStandaloneUpdate.exe” is run, “version.dll” located in the same path is loaded and performs malicious actions. “version.dll” decrypts the data included in the internal resources, i.e. Dora RAT, and injects it into the explorer process.

Figure 5. Dora RAT encrypted and stored in resources

For reference, the attacker also signed and distributed malicious code with a valid certificate. Among the Dora RATs used in the attack, types were identified that were signed with a valid certificate from a German software development company.

Figure 6. Dora RAT signed with a valid certificate


2.3. Other malware

2.3.1. KEYLOGGER / CLIPLOGGER

Dora RAT provides only basic control functions, and Nestdoor, which was confirmed in this attack, also provides only relatively simple functions, unlike past versions. In other words, features such as keylogging or clipboard logging are not supported. Accordingly, the attacker used Nestdoor to additionally install malware responsible for keylogging and clipboard logging.

The malware used in the attack creates a file corresponding to the string received as an argument in the “%TEMP%” path and stores the logged keystrokes and clipboard information.

Figure 7. Key input and clipboard information saved in the Temp path

2.3.2. STEALER

Among the tools installed by attackers, there is also malware that steals files existing in the system. If the quantity or size is small, it may be possible to use previously installed backdoor malware, but considering that it was installed additionally, it is possible that the purpose was to steal a large number of files.

factorexplanation
–protocolProtocol to be used in communication (tcp / udp)
–serverAddress used for hijacking (ip:port format)
-you, – filePath of the file to be hijacked
–thread, –limitperformance limitations

Table 1. Stealer’s factors


2.3.3. PROXY

Most of the additional malicious codes installed by the attacker were proxy tools. Among the proxy tools identified, there are types that appear to have been created directly by the attacker, but open source Socks5 proxy tools were also identified. [4] [5]

What is noteworthy is that a proxy tool confirmed in the Lazarus group’s attack campaign using ThreadNeedle, released by Kaspersky in early 2021, was used. Although it is not the same file, it is the same malicious code in size, routine, and even the string used in the authentication process. For reference, this proxy type, which has the same authentication string, has been continuously used in attacks since at least 2014.

Figure 8. Proxy tool used in attack


3. Conclusion

The Andariel group is one of the threat groups actively targeting Korea, along with the Kimsuky and Lazarus groups. Initially, attacks were carried out primarily to obtain security-related information, but later attacks were also carried out for the purpose of financial gain. [6] Initial infiltration mainly uses spear phishing attacks, watering hole attacks, and software vulnerabilities, and it has also been confirmed that malware is distributed to the internal network by exploiting additional vulnerabilities during the attack process.

Users should be especially careful about attachments to e-mails from unknown sources or executable files downloaded from web pages, and corporate security personnel should patch any vulnerabilities in software used within the company, such as asset management solutions or access control solutions, to the latest version. must be performed. In addition, you must be careful to prevent infection by such malware in advance by updating the latest patches and V3 for programs such as the OS and Internet browser to the latest version.

파일 진단
– Trojan/Win.Injector.C5610655 (2024.04.09.03)
– Trojan/Win.Agent.C5610733 (2024.04.10.00)
– Backdoor/Win.Nestdoor.C5610641 (2024.04.13.00)
– Backdoor/Win.DoraRAT.C5610712 (2024.04.09.03)
– Dropper/Win.Agent.C5610793 (2024.04.10.00)
– Trojan/Win.Injector.C5610655 (2024.04.09.03)
– Dropper/Win.Agent.C5610654 (2024.04.09.03)
– Trojan/Win.KeyLogger.C5610642 (2024.04.09.03)
– Backdoor/Win.Nestdoor.C5622508 (2024.05.16.03)
– Trojan/Win.Launcher.C5622509 (2024.05.16.03)
– Trojan/Win.PWS.C5068848 (2022.04.12.01)

Behavioral Diagnosis
– Malware/MDP.Fraud.M800

IoC
MD5

– 7416ea48102e2715c87edd49ddbd1526 : Nestdoor – Recent attack examples (nest.exe)
– a2aefb7ab6c644aa8eeb482e27b2dbc4 : Nestdoor – TigerRAT attack examples (psfile.exe)
– e7fd7f48fbf5635a04e302af50dfb6 51: Nestdoor – OpenVPN attack case (openvpnsvc.exe)
– 33b2b5b7c830c34c688cf6ced287e5be: Nestdoor Launcher (FirewallAPI.dll )
– 4bc571925a80d4ae4aab1e8900bf753c : Dora RAT Dropper (spsvc.exe)
– 951e9fcd048b919516693b25c13a9ef2 : Dora RAT Dropper (emaupdate.exe)
– fee610058c417b6c4b3054935b7 e2730 : Dora RAT Injector (version.dll)
– afc5a07d6e438880cea63920277ed270 : Dora RAT Injector (version.dll)
– d92a317ef4d60dc491082a2fe6eb7a70 : Dora RAT (emaupdate.exe)
– 5df3c3e1f423f1cce5bf75f067d1d05c : Dora RAT (msload.exe)
– 094f9a757c6dbd6030bc6dae3f8feab3 : Dora RAT (emagent.exe)
– 468c369893d6fc6614d24ea89e149 e80: KeyLogger/ClipLogger (conhosts.exe)
– 5e00df548f2dcf7a808f1337f443f3d9: Stealer (msload.exe)

C&C
– 45.58.159[.]237:443 : Nestdoor – Recent attacks
– 4.246.149[.]227:1443: Nestdoor – TigerRAT attack
– 209.127.19[.]223:443 : Nestdoor – OpenVPN attack
– kmobile.bestunif[.]com:443 – Dora RAT
– 206.72.205[.]117:443 – Dora RAT

Related IOCs and related detailed analysis information can be checked through AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ subscription service.

Don’t Stop Here

More To Explore

Infostealers Webinar – Hudson Rock

Learn about Infostealers with actual real life breaches caused by Infostealer infections with Leonid Rozenberg, Hudson Rock’s Head of Partnerships & Integrations. To discover how

favicon__1_ removebg-png

BE THE FIRST TO KNOW

Stay informed with the latest insights in our Infostealers weekly report.

Receive immediate notification if your email is involved in an infostealer infection.

No Spam, We Promise

favicon__1_ removebg-png

BE THE FIRST TO KNOW

Stay informed with the latest insights in our Infostealers weekly report.

Receive immediate notification if your email is involved in an infostealer infection.

No Spam, We Promise