South Korean ERP Vendor's Server Compromised to Spread Xctdoor Malware

Introduction

A significant cybersecurity breach has been detected involving an unnamed South Korean enterprise resource planning (ERP) vendor. The vendor's product update server was compromised to deliver a Go-based backdoor known as Xctdoor. This incident, identified by Foresiet Security Intelligence Center (Foresiet SIC) in May 2024, underscores the critical need for robust cybersecurity measures, including stolen credentials detection, darknet monitoring services, and digital footprint analysis.

Incident Overview

The attack has not been attributed to a specific threat actor or group, but the tactics bear similarities to those used by Andariel, a sub-cluster within the infamous Lazarus Group. In a similar attack in 2017, the North Korean adversary used an ERP solution to distribute malware like HotCroissant (identical to Rifdoor) by inserting malicious routines into a software update program.

Malware Mechanism

In this recent incident, the compromised executable was tampered with to execute a DLL file from a specific path using the regsvr32.exe process instead of launching a downloader. The DLL file, Xctdoor, is capable of stealing system information, including keystrokes, screenshots, and clipboard content, and executing commands from the threat actor. Xctdoor communicates with the command-and-control server using the HTTP protocol, with packet encryption employing the Mersenne Twister (MT19937) algorithm and the Base64 algorithm.

Additional Malware: XcLoader

The attack involved the use of XcLoader, a type of injector malware that facilitates the insertion of Xctdoor into legitimate processes like "explorer.exe." Since at least March 2024, poorly secured web servers have been compromised to install XcLoader, further emphasizing the need for stringent cybersecurity practices.

Related Threats

The discovery of Xctdoor comes amidst other significant threats from North Korean-linked actors. For instance, the Kimusky group has been observed using a previously undocumented backdoor named HappyDoor since July 2021. This backdoor, distributed via spear-phishing emails, is designed to facilitate information theft, download/upload files, and self-update or terminate.

Additionally, the Konni cyber espionage group (also known as Opal Sleet, Osmium, or TA406) has been conducting a massive malware distribution campaign targeting South Korea. This campaign uses phishing lures impersonating the national tax service to deliver malware capable of stealing sensitive information.

Conclusion

The compromise of the South Korean ERP vendor's server to spread Xctdoor malware highlights the critical importance of implementing comprehensive cybersecurity measures. Organizations must invest in brand protection, compromised data tracking, and brand impersonation defense to safeguard their systems against evolving threats. Staying vigilant and proactive in cybersecurity is essential to protect sensitive information and maintain digital security.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.