[![Xctdoor Malware](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)]() An unnamed South Korean enterprise resource planning (ERP) vendor's product update server has been found to be compromised to deliver a Go-based backdoor dubbed Xctdoor. The AhnLab Security Intelligence Center (ASEC), which [identified]() the attack in May 2024, did not attribute it to a known threat actor or group, but noted that the tactics overlap with that of [Andariel](), a sub-cluster within the infamous Lazarus Group. The similarities stem from the North Korean adversary's prior use of the ERP solution to distribute malware like HotCroissant – which is identical to [Rifdoor]() – in 2017 by inserting a malicious routine into a software update program. [![Cybersecurity](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)]( "Cybersecurity" ) In the recent incident analyzed by ASEC, the same executable is said to have been tampered with to execute a DLL file from a specific path using the [regsvr32.exe process]() as opposed to launching a downloader. The DLL file, Xctdoor, is capable of stealing system information, including keystrokes, screenshots, and clipboard content, and executing commands issued by the threat actor. "Xctdoor communicates with the [command-and-control] server using the HTTP protocol, while the packet encryption employs the Mersenne Twister (MT19937) algorithm and the Base64 algorithm," ASEC said. Also used in the attack is a malware called XcLoader, which serves as an injector malware responsible for injecting Xctdoor into legitimate processes (e.g., "explorer.exe"). ASEC said it further detected cases where poorly secured web servers have been compromised to install XcLoader since at least March 2024. The development comes as the another North Korea-linked threat actor referred to as [Kimusky]() has been observed employing a previously undocumented backdoor codenamed [HappyDoor]() that has been put to use as far back as July 2021. [![Cybersecurity](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)]( "Cybersecurity" ) Attack chains distributing the malware leverage spear-phishing emails as a starting point to disseminate a compressed file, which contains an obfuscated JavaScript or dropper that, when executed, creates and runs HappyDoor alongside a decoy file. HappyDoor, a DLL file executed via regsvr32.exe, is equipped to communicate with a remote server over HTTP and facilitate information theft, download/upload files, as well as update and terminate itself. It also follows a "massive" malware distribution campaign orchestrated by the [Konni]() cyber espionage group (aka Opal Sleet, Osmium, or TA406) targeting South Korea with phishing lures impersonating the national tax service to deliver malware capable of stealing sensitive information, security researcher Idan Tarab [said](). Found this article interesting? Follow us on [Twitter __]() and [LinkedIn]() to read more exclusive content we post.

South Korean ERP Vendor's Server Hacked to Spread Xctdoor Malware