Analysis of APT Attack Cases Using Dora RAT Against Korean Companies (Andariel Group)
Contents
AhnLab SEcurity intelligence Center (ASEC) has recently discovered Andariel APT attack cases against Korean corporations and institutes. Targeted organizations included educational institutes and manufacturing and construction businesses in Korea. Keylogger, Infostealer, and proxy tools on top of the backdoor were utilized for the attacks. The threat actor probably used these malware strains to control and steal data from the infected systems.
The attacks had malware strains identified in Andariel group’s past cases, the most notable of which is Nestdoor, a backdoor addressed in this post. Other cases include the addition of web shells. Proxy tools discovered from the Lazarus group’s previous attacks were also used, although their files were not identical to the current case.
1. Evidence of Attacks
Among many pieces of evidence from the attack process, a case that was actually confirmed involved the distribution of malware using a web server that operated an Apache Tomcat server. Because the system in …
The attacks had malware strains identified in Andariel group’s past cases, the most notable of which is Nestdoor, a backdoor addressed in this post. Other cases include the addition of web shells. Proxy tools discovered from the Lazarus group’s previous attacks were also used, although their files were not identical to the current case.
1. Evidence of Attacks
Among many pieces of evidence from the attack process, a case that was actually confirmed involved the distribution of malware using a web server that operated an Apache Tomcat server. Because the system in …
IoC
094f9a757c6dbd6030bc6dae3f8feab3
206.72.205.117
209.127.19.223
33b2b5b7c830c34c688cf6ced287e5be
4.246.149.227
45.58.159.237
468c369893d6fc6614d24ea89e149e80
4bc571925a80d4ae4aab1e8900bf753c
5df3c3e1f423f1cce5bf75f067d1d05c
5e00df548f2dcf7a808f1337f443f3d9
7416ea48102e2715c87edd49ddbd1526
951e9fcd048b919516693b25c13a9ef2
a2aefb7ab6c644aa8eeb482e27b2dbc4
afc5a07d6e438880cea63920277ed270
d92a317ef4d60dc491082a2fe6eb7a70
e7fd7f48fbf5635a04e302af50dfb651
fee610058c417b6c4b3054935b7e2730
http://206.72.205.117:443
http://209.127.19.223:443
http://4.246.149.227:1443
http://45.58.159.237:443
http://kmobile.bestunif.com:443
206.72.205.117
209.127.19.223
33b2b5b7c830c34c688cf6ced287e5be
4.246.149.227
45.58.159.237
468c369893d6fc6614d24ea89e149e80
4bc571925a80d4ae4aab1e8900bf753c
5df3c3e1f423f1cce5bf75f067d1d05c
5e00df548f2dcf7a808f1337f443f3d9
7416ea48102e2715c87edd49ddbd1526
951e9fcd048b919516693b25c13a9ef2
a2aefb7ab6c644aa8eeb482e27b2dbc4
afc5a07d6e438880cea63920277ed270
d92a317ef4d60dc491082a2fe6eb7a70
e7fd7f48fbf5635a04e302af50dfb651
fee610058c417b6c4b3054935b7e2730
http://206.72.205.117:443
http://209.127.19.223:443
http://4.246.149.227:1443
http://45.58.159.237:443
http://kmobile.bestunif.com:443