The Andariel APT group launched a targeted attack campaign against South Korean domestic companies and institutions, where manufacturing, construction, and educational sectors were hit.
The attackers deployed backdoors like Nestdoor, keyloggers, infostealers, and proxy tools to compromise systems, steal data, and potentially control infected machines, and the campaign reused malicious code observed in previous Andariel attacks, including Nestdoor backdoors and web shells.
Interestingly, a proxy tool previously linked to Lazarus group activity was also utilized, suggesting potential collaboration or shared resources between the two actors.
Attackers used flaws in an Apache Tomcat web server to spread malicious code, and the attackers installed backdoors and proxy tools that compromised the targeted server, which was probably out of date since Tomcat’s release in 2013.
ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service
A recently discovered RAT malware named Nestdoor, linked to the Andariel group, has been used in attacks since at least May 2022, which grants attackers remote control of infected systems, allowing file transfer, shell access, and command execution.
.webp "APT Hackers Attacking Manufacturers With Keyloggers, Infostealers, & Proxy Tools 2")
Nestdoor employs keylogging, clipboard capturing, and proxy functionalities, and shares C&C servers with another RAT, TigerRAT, suggesting their coordinated use in attacks targeting both domestic entities and those exploiting the Log4Shell vulnerability.
Attackers are distributing malware disguised as legitimate software, which is hidden within a compressed file named “OpenVPN Installer.exe,” leverages a DLL file to launch and then executes a copy of the Nestdoor malware named “openvpnsvc.exe.”.
.webp "APT Hackers Attacking Manufacturers With Keyloggers, Infostealers, & Proxy Tools 3")
According to AhnLab Security Intelligence Centre, the malware establishes persistence by registering with the task scheduler and communicating with a command-and-control server.
While this iteration of Nestdoor exhibited some variation in C&C communication commands and supported functions compared to past versions, it retains the core functionalities of file manipulation and reverses shell, enabling attacker control of the compromised system.
.webp "APT Hackers Attacking Manufacturers With Keyloggers, Infostealers, & Proxy Tools 4")
In addition to the RAT malware, attackers deployed another malware for keylogging and clipboard logging by creating a file in the victim’s temporary directory to store all the stolen keystrokes and clipboard information.
.webp "APT Hackers Attacking Manufacturers With Keyloggers, Infostealers, & Proxy Tools 5")
Another piece of malware identified is a file stealer, which allows attackers to steal files from the infected system.
It most likely targets a large volume of files, as it was installed separately from the RAT malware, and the stealer offers options to configure communication protocol, server address, file path, and performance limitations.
Lazarus Group attacks heavily utilize proxy tools, including custom-made ones and open-source Socks5 tools.
The attackers deployed a malicious proxy similar to Kaspersky’s ThreadNeedle (released in 2021) in terms of size, functionality, and even authentication strings.
Since at least 2014, Lazarus Group attacks have used this particular type of proxy, which is distinguishable by its distinctive authentication string, indicating a long-term use of this particular tool or technique.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers