Analysis of APT Attack Cases Using Dora RAT Against Korean Companies (Andariel Group)

AhnLab SEcurity intelligence Center (ASEC) has recently discovered Andariel APT attack cases against Korean corporations and institutes. Targeted organizations included educational institutes and manufacturing and construction businesses in Korea. Keylogger, Infostealer, and proxy tools on top of the backdoor were utilized for the attacks. The threat actor probably used these malware strains to control and steal data from the infected systems.

The attacks had malware strains identified in Andariel group’s past cases, the most notable of which is Nestdoor, a backdoor addressed in this post. Other cases include the addition of web shells. Proxy tools discovered from the Lazarus group’s previous attacks were also used, although their files were not identical to the current case.

1. Evidence of Attacks

Among many pieces of evidence from the attack process, a case that was actually confirmed involved the distribution of malware using a web server that operated an Apache Tomcat server. Because the system in question ran the 2013 version of Apache Tomcat, it was prone to various vulnerability attacks. The threat actor used the web server to install backdoors, proxy tools, etc.

2. Malware Analysis

2.1. Nestdoor

Nestdoor is an RAT malware strain that has been found since at least May 2022. It can receive the threat actor’s commands to control the infected system and has been discovered continuously in the Andariel group’s attack cases. For the convince of classification, this post lists cases as Nestdoor based on their collected names.

In June 2022, the United States Cybersecurity & Infrastructure Security Agency (CISA) analyzed and disclosed attack cases that exploited the VMware Horizon product’s Log4Shell vulnerability (CVE-2021-44228) for malware installation. The cases included malware types classified as “Unidentified RAT” and loader strains that executed them in the memory. [1] [2]

The malware strains classified as an “Unidentified RAT” are developed in C++ and can receive the threat actor’s commands and carry out malicious behaviors such as file upload and download, reverse shell, and command execution. Its other characteristics include binary obfuscation to disrupt analysis and various features such as keylogging, clipboard logging, and proxy.

ASEC disclosed an attack case in May 2022 in which Andariel, an organization known as the Lazarus group’s subsidiary, exploited VMware Horizon’s Log4Shell vulnerability to distribute TigerRAT. [3] There was also a case in early 2023 where Nestdoor was used with TigerRAT to deploy an attack using the same C&C server as the latter. The cases show how Nestdoor was utilized in various attacks, such as the case involving TigerRAT against Korean companies and the case that exploited the Log4Shell vulnerability.

A case where the malware was distributed under the disguise of OpenVPN was also discovered in early 2024, although its distribution path is yet to be confirmed. The malware disguised as an installer was inside the compressed file (see Figure 2). When the “OpenVPN Installer.exe” file is executed, the launcher malware in the same path “FirewallAPI.dll” is loaded, ultimately leading to the execution of “openvpnsvc.exe” which is the Nestdoor malware located in the “Resource” folder. Nestdoor maintains its persistence by adding itself to the Task Scheduler and communicates with the C&C server.

Although the Nestdoor malware identified in this case shares similarities with the OpenVPN case, it also has some distinguishing factors. For instance, the Nestdoor case modified command codes used during C&C communication and supports fewer features. However, its obfuscation method and the overall structure including the early routine are similar. Of course, both cases allow the threat actor to control the infected systems by offering basic features including file tasks and reverse shell.

2.2. Dora RAT

The Andariel group has recently started to create a new backdoor malware strain whenever they launch an attack campaign, developing most of the malware strains through the Go language. The newly discovered malware strain from this post was also developed using Go and was named “Dora RAT” by the attacker.

Dora RAT is a relatively simple malware strain that supports reverse shell and file download/upload. The identified malware has two types: one operates as a standalone executable file, while the other runs by being injected into the explorer.exe process.

“spsvc.exe” is an executable file in a WinRAR SFX format. The file includes a normal program “OneDriverStandaloneUpdate.exe” and the injector malware “version.dll”. Upon execution, these files are installed in “%APPDATA%”. When “OneDriverStandaloneUpdate.exe” is executed, “version.dll” located in the same path is loaded to carry out malicious behaviors. “version.dll” decrypts data within the internal resource, which is Dora RAT, and injects it into the explorer process.

For reference, the attacker has also signed and distributed malware using a valid certificate. Some of the Dora RAT strains used for the attack were confirmed to be signed with a valid certificate from a United Kingdom software developer.

2.3. Other Malware Strains

2.3.1. Keylogger/Cliplogger

Similar to Dora RAT, which only offers basic control features, the Nestdoor malware identified in this attack supports relatively simple functions compared to its previous versions. In other words, it does not support features such as keylogging or clipboard logging. Accordingly, the threat actor used Nestdoor to additionally install malware that would initiate keylogging and clipboard logging.

The malware used for the attack generated a file for the string delivered to the “%TEMP%” path as an argument and saved the logged keystroke and clipboard information.

2.3.2. Stealer

The tools installed by the threat attacker included malware for stealing files in the system. Given that pre-existing malware strains are fit only to steal files of small quantity or size, the threat actor might have installed additional malware to steal files of massive size.

2.3.3. Proxy

The additional malware strains that the threat actor installed were mostly proxy tools. Among the confirmed proxy tools were types that the attacker has likely created, though open-source Socks5 proxy tools have also been confirmed. [4] [5]

A notable fact is that the threat actor used a proxy tool found in the Lazarus group’s attack using ThreadNeedle that Kaspersky disclosed in early 2021. Despite not being an identical file, the malware has the same size, routine, and string used during verification. For reference, the proxy type that exhibits the exact same traits (same authentication string) has been deployed for attacks since at least 2014.

3. Conclusion

The Andariel group is one of the threat groups that are highly active in Korea, alongside the Kimsuky and Lazarus groups. The group initially launched attacks to acquire information related to national security, but now they have also been attacking for financial gain. [6] They use spear phishing or watering hole attacks and exploit vulnerabilities in software during the initial access. There have also been circumstances of the Andariel group exploiting additional vulnerabilities in the attack process to distribute malware to internal networks.

Users must be particularly cautious against attachments in emails from unknown sources and executable files downloaded from web pages. If there are vulnerabilities within the software used by companies such as asset management solutions or access control solutions, their security administrators apply patches to update them to their latest versions. They should also apply the latest patch for OS and programs such as internet browsers and update V3 to the latest version to prevent malware infection in advance.

File Detection
– Trojan/Win.Injector.C5610655 (2024.04.09.03)
– Trojan/Win.Agent.C5610733 (2024.04.10.00)
– Backdoor/Win.Nestdoor.C5610641 (2024.04.13.00)
– Backdoor/Win.DoraRAT.C5610712 (2024.04.09.03)
– Dropper/Win.Agent.C5610793 (2024.04.10.00)
– Trojan/Win.Injector.C5610655 (2024.04.09.03)
– Dropper/Win.Agent.C5610654 (2024.04.09.03)
– Trojan/Win.KeyLogger.C5610642 (2024.04.09.03)
– Backdoor/Win.Nestdoor.C5622508 (2024.05.16.03)
– Trojan/Win.Launcher.C5622509 (2024.05.16.03)
– Trojan/Win.PWS.C5068848 (2022.04.12.01)

Behavior Detection
– Malware/MDP.Fraud.M800

IoCs
MD5s
– 7416ea48102e2715c87edd49ddbd1526: Nestdoor – Recent attack case (nest.exe)
– a2aefb7ab6c644aa8eeb482e27b2dbc4: Nestdoor – TigerRAT attack case (psfile.exe)
– e7fd7f48fbf5635a04e302af50dfb651: Nestdoor – OpenVPN attack case (openvpnsvc.exe)
– 33b2b5b7c830c34c688cf6ced287e5be: Nestdoor launcher (FirewallAPI.dll)
– 4bc571925a80d4ae4aab1e8900bf753c: Dora RAT dropper (spsvc.exe)
– 951e9fcd048b919516693b25c13a9ef2: Dora RAT dropper (emaupdate.exe)
– fee610058c417b6c4b3054935b7e2730: Dora RAT injector (version.dll)
– afc5a07d6e438880cea63920277ed270: Dora RAT injector (version.dll)
– d92a317ef4d60dc491082a2fe6eb7a70: Dora RAT (emaupdate.exe)
– 5df3c3e1f423f1cce5bf75f067d1d05c: Dora RAT (msload.exe)
– 094f9a757c6dbd6030bc6dae3f8feab3: Dora RAT (emagent.exe)
– 468c369893d6fc6614d24ea89e149e80: Keylogger/Cliplogger (conhosts.exe)
– 5e00df548f2dcf7a808f1337f443f3d9: Stealer (msload.exe)

C&Cs
– 45.58.159[.]237:443: Nestdoor – Recent attack case
– 4.246.149[.]227:1443: Nestdoor – TigerRAT attack case
– 209.127.19[.]223:443: Nestdoor – OpenVPN attack case
– kmobile.bestunif[.]com:443 – Dora RAT
– 206.72.205[.]117:443 – Dora RAT

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.