A South Korean ERP vendor’s product update server was compromised and used to deliver malware instead of updates. The attack, detected by AhnLab, resembles tactics used by North Korea-linked group Andariel. The malware, named Xctdoor, can steal system information, execute commands from the attacker, and capture screenshots, keylogs, and clipboard logs. It can also transmit drive information.
The attackers inserted a routine to execute the DLL using the Regsvr32.exe process. The malware is capable of controlling infected systems and exfiltrating information through it. AhnLab urged users to be cautious against attachments in emails from unknown sources and executable files downloaded from web pages, and for security administrators to enhance monitoring of asset management programs and apply patches for any security vulnerabilities.
The Andariel group primarily targets financial institutions, government entities, defense contractors, and other areas, seeking to steal funds or sensitive information. The latest attacks targeted the defense sector, but came within months of attacks on manufacturing and other industries.