ASEC Unveils Xctdoor Malware Campaign Targeting South Korean Industries

Category: Threat Actor Activity | Industries: Defense, Manufacturing | Source: ASEC

A cyber-espionage campaign deploying the Xctdoor malware was identified targeting South Korean defense and manufacturing sectors by AhnLab Security Intelligence Center (ASEC). The campaign is assessed to be conducted by the North Korean threat group Andariel, a subgroup of the Lazarus group. The Lazarus group is known for its cyber operations aimed at espionage and financial gain, often targeting sectors that align with North Korean state objectives. The objective of this campaign is to focus on the compromise of enterprise environments to fulfill data exfiltration and system monitoring. ASEC's analysis indicates that the attackers have been leveraging weaknesses in enterprise resource planning (ERP) software to infiltrate systems and establish persistent access.

Two intrusions were documented and shared by ASEC. In one of the documented incidents, which took place in May 2024, the attack began with the manipulation of "ClientUpdater.exe" within an ERP system, enabling the loading of a malicious DLL through the use of regsvr32. This led to process injection into host processes such as "taskhost.exe" and "explorer.exe." To ensure persistence, the malware created a shortcut in the startup folder, misleadingly linked to an innocuous-looking "roaming.dat" file. Once launched, this file initiates connections to a command and control (C&C) server, facilitating commands which include capturing screenshots, logging keystrokes and clipboard data, and even transmitting detailed drive information. ASEC reports that this backdoor can retrieve and execute additional payloads, escalating the threat potential by enabling comprehensive system compromise.

In a second scenario involving a compromised web server, the initial breach is carried out through the use of the web server process "w3wp," which calls the Windows Command Prompt to initiate a series of queries to gather system, network, and application information. The reconnaissance commands include "ipconfig /all," "systeminfo," "ping," "reg query," and a PowerShell command to gather software names, versions, publishers, and installation dates from the Windows registry. Web shells are also potential tools to aid command execution by threat actors. With system context gathered, XxLoader can be utilized. "The XcLoader used in the attack functions similarly to the type developed in the Go language, reading and decrypting the “roaming.dat” file located in the same directory, and injecting it into processes. The difference is that in the May 2024 case, the “roaming.dat” file is in PE format, whereas in this case, it is encrypted. XcLoader primarily targets the explorer.exe process for injection, but in some cases, it also selects the “sihost.exe” process," ASEC explains. Tunnelling services such as Ngrok were used for evasion to create a tunnel for TCP traffic on port 3389.

Threat activity resulting from these attacks has led to data exfiltration and control of the affected systems. ASEC warns that these attacks not only compromise organizational data but also open the door to more destructive actions, such as ransomware deployment or extensive system sabotage.