The Rifdoor malware is a hacking tool that is part of the arsenal of the Andariel group. Cybersecurity researchers believe that the Andariel hacking group is likely a part of the infamous Lazarus APT (Advanced Persistent Threat). The Lazarus APT is believed to originate from North Korea, and it tends to go after South Korean targets mainly. Usually, this hacking group carries out long reconnaissance campaigns before launching an attack against their targets.
The Rifdoor threat serves as a multi-purpose backdoor Trojan. This means that the Rifdoor malware is able to carry out long-term espionage campaigns, enabling its operators to have access to the infected device and execute remote commands on it. The Rifdoor backdoor Trojan also allows the Adariel hacking group to plant additional malware on the compromised computer. One of the samples of the Rifdoor malware that was detected in 2019 appeared to use a security certificate issued to a South Korean company operating in the IT security sector. This is likely to mean that the Andariel hackers had managed to hijack the certificate by compromising the company's network, or some of its employees.
The Lazarus APT and their sub-division the Adariel group are not likely to go after regular users. High-profile cybercriminals of this type tend to target large companies in important industries, crucial government bodies or high-ranking government officials. This is due to the fact that these hacking groups are likely sponsored by the North Korean government and are doing its bidding on an international level.
The Rifdoor backdoor Trojan is one of the oldest threats in the hacking arsenal of the Andariel group. However, it would appear that this malware is still used to this day, as its creators are releasing regular updates that improve the functionality of this hacking tool. It is likely that North Korean hackers will continue utilizing this threat in future campaigns.