Shadow Force Group’s Viticdoor and CoinMiner

The Shadow Force group is a threat group that has been active since 2013, targeting corporations and organizations in South Korea. Trend Micro revealed the first analysis report in September 2015, where it stated that a Korean media-related company had been attacked. In March 2020, AhnLab published an analysis report on Operation Shadow Force. It was introduced as a single campaign as there was the possibility of it being the activities of an existing threat group. However, no relevant threat group information has been found for over three years since the release of the analysis report, and it thus seems to be a group active in Korea. In July 2022, KRCert published the details of their analysis of the Shadow Force group’s additional breach through their report “Analysis of Lateral Movement Strategies Using TTPs#7 SMB Admin Share”. In October 2022, AhnLab announced that the PE-modifying iatinfect.exe file is continuously being detected.

This report covers the changes made to existing malware and new malware discovered through tracking recent activities of the Shadow Force group. There are continued reports of file modification using Iatinfect.exe, while the usage rate of the backdoor used in the past has decreased. Instead, there have been cases where other backdoors such as Viticdoor were used, and since December 2021, cryptocurrency miners were being installed alongside them. The threat actor has been using the same file name and similar malware and tools since 2014, making it easier to identify them.

ATIP_2023_Shadow Force Group’s Viticdoor and CoinMiner

AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.