Dora RAT

The North Korea-linked threat actor known as Andariel has been observed using a new Golang-based backdoor called Dora RAT in its attacks targeting educational institutes, manufacturing firms, and construction businesses in South Korea. Keylogger, infostealer, and proxy tools on top of the backdoor were utilized for the attacks. The threat actor probably used these malware strains to control and steal data from the infected systems.

The attacks are characterized by the use of a vulnerable Apache Tomcat server to distribute the malware, the South Korean cybersecurity firm added, noting the system in question ran the 2013 version of Apache Tomcat, making it susceptible to several vulnerabilities.

The Andariel APT is a Major Actor in the Cybercrime Scene

Andariel, also known by aliases such as Nicket Hyatt, Onyx Sleet, and Silent Chollima, constitutes an Advanced PersistentThreat (APT) group aligned with North Korea's strategic objectives since at least 2008.

A faction within the extensive Lazarus Group, this adversary demonstrates a history of employing spear-phishing, watering hole attacks, and exploiting known software vulnerabilities to gain initial access and disseminate malware across targeted networks.

While specifics regarding the attack methodology for malware deployment were not disclosed by researchers, it was highlighted that a variant of the established Nestdoor malware was utilized. This variant possesses functionalities enabling it to receive and execute commands from a remote server, transfer files, initiate a reverse shell, collect clipboard data and keystrokes and operate as a proxy.

The Andariel APT Deployed the Dora RAT to Compromised Devices

The attacks employed an undisclosed backdoor known as the Dora RAT, previously undocumented. It is characterized as straightforward malware with functionalities for reverse shell operations and file transfer capabilities.

Furthermore, the attacker has utilized a valid certificate to sign and distribute the Dora RAT malware. Confirmations indicate that certain strains of the Dora RAT used in the attacks were signed with a legitimate certificate issued to a software developer in the United Kingdom.

Among the assortment of malware strains deployed in these attacks, there is a keylogger introduced through a streamlined variant of Nestdoor, along with a specialized data-stealing component and a SOCKS5 proxy tool that shares similarities with one utilized by the Lazarus Group in the 2021 ThreatNeedle campaign.

The Andariel group stands out as one of the most active threat actors operating in Korea, alongside the Kimsuky and Lazarus groups. Initially focused on gathering intelligence concerning national security, they have expanded their scope to include financially motivated attacks.

RAT Infections could Lead to Devastating Consequences for Victims

Remote Access Trojans (RATs) can inflict devastating consequences on victims due to their intrusive and clandestine nature. Here's why:

• Unauthorized Access: RATs grant attackers unrestricted access to infected systems. This access enables them to execute commands, install or uninstall software, modify files, and manipulate system settings remotely, essentially giving them full control over the victim's device.
• Data Theft and Surveillance: RATs often include features such as keylogging, screen capturing, and webcam hijacking, allowing attackers to monitor victims' activities in real-time. This surveillance capability enables the theft of sensitive information, including passwords, financial data, personal conversations, and intellectual property.
• System Compromise: RATs can compromise the integrity and functionality of infected systems. Attackers may disable security software, alter system configurations, or even deploy additional malware payloads, leading to system instability, data corruption, and loss of productivity.
• Propagation and Network Compromise: RATs can facilitate the spread of malware within a network. Once a single device is infected, attackers can use the compromised system as a launchpad to infiltrate other connected devices, servers, or infrastructure components, potentially causing widespread damage and disruption.
• Long-term Persistence: RATs are designed to maintain persistent access to infected systems. Even if initial detection and removal attempts are successful, attackers may reinstall or reactivate the malware, ensuring continued access and control over compromised devices for extended periods.
• Reputation Damage and Legal Consequences: A successful RAT attack can have severe repercussions for victims, including damage to their reputation, loss of customer trust, and legal liabilities. Breaches of sensitive data may result in regulatory fines, lawsuits, and other legal consequences, further exacerbating the reputational and financial impact on affected organizations.

In summary, RAT infections pose significant threats to victims, ranging from unauthorized access and data theft to system compromise, network propagation, and long-term persistence. Proactive cybersecurity measures, including regular software updates, robust endpoint protection, user awareness training, and incident response planning, are must-dos to mitigate the risks associated with RAT attacks.