Xctdoor Malware Used in Attacks Against Korean Companies (Andariel)
Contents
AhnLab SEcurity intelligence Center (ASEC) recently discovered a case where an unidentified threat actor exploited a Korean ERP solution to carry out an attack. After infiltrating the system, the threat actor is believed to have attacked the update server of a specific Korean ERP solution to take control of systems within the company. In another attack case, a vulnerable web server was attacked to distribute malware. The targets of these attacks have been identified as the Korean defense and manufacturing industries.
Among the identified malware, there is a form where a malicious routine is inserted into the update program of an existing ERP solution. This method is similar to a case in 2017 when the Andariel group used it to install the HotCroissant backdoor. The creator used the string “Xct” during the development process of the malware, and the backdoor ultimately used here is classified as Xctdoor.
1. Past Attack Cases of …
Among the identified malware, there is a form where a malicious routine is inserted into the update program of an existing ERP solution. This method is similar to a case in 2017 when the Andariel group used it to install the HotCroissant backdoor. The creator used the string “Xct” during the development process of the malware, and the backdoor ultimately used here is classified as Xctdoor.
1. Past Attack Cases of …
IoC
09a5069c9cc87af39bbb6356af2c1a36
11465d02b0d7231730f3c4202b0400b8
195.50.242.110
235e02eba12286e74e886b6c99e46fb7
2e325935b2d1d0a82e63ff2876482956
375f1cc32b6493662a78720c7d905bc3
396bee51c7485c3a0d3b044a9ceb6487
41d5d25de0ca0fdc54c24c484f9f8f55
4f5e5a392b8a3e0cb32320ed1e8d0604
54d5be3a4eb0e31c0ba7cb88f0a8e720
6928fab25ac1255fbd8d6c1046653919
9a580aaaa3e79b6f19a2c70e89b016e3
9bbde4484821335d98b41b44f93276e8
a42ae44761ce3294ce0775fe384d97b6
ab8675b4943bc25a51da66565cfc8ac8
ad96a8f22faab8b9c361cfccc381cd28
b43a7dcfe53a981831ae763a9a5450fd
b96b98dede8a64373b539f94042bdb41
d787a33d76552019becfef0a4af78a11
d852c3d06ef63ea6c6a21b0d1cdf14d4
d938201644aac3421df7a3128aa88a53
e554b1be8bab11e979c75e2c2453bc6a
f24627f46ec64cae7a6fa9ee312c43d7
http://195.50.242.110:8080
http://beebeep.info/index.php
http://www.jikji.pe.kr/xe/files/attach/binaries/102/663/image.gif
11465d02b0d7231730f3c4202b0400b8
195.50.242.110
235e02eba12286e74e886b6c99e46fb7
2e325935b2d1d0a82e63ff2876482956
375f1cc32b6493662a78720c7d905bc3
396bee51c7485c3a0d3b044a9ceb6487
41d5d25de0ca0fdc54c24c484f9f8f55
4f5e5a392b8a3e0cb32320ed1e8d0604
54d5be3a4eb0e31c0ba7cb88f0a8e720
6928fab25ac1255fbd8d6c1046653919
9a580aaaa3e79b6f19a2c70e89b016e3
9bbde4484821335d98b41b44f93276e8
a42ae44761ce3294ce0775fe384d97b6
ab8675b4943bc25a51da66565cfc8ac8
ad96a8f22faab8b9c361cfccc381cd28
b43a7dcfe53a981831ae763a9a5450fd
b96b98dede8a64373b539f94042bdb41
d787a33d76552019becfef0a4af78a11
d852c3d06ef63ea6c6a21b0d1cdf14d4
d938201644aac3421df7a3128aa88a53
e554b1be8bab11e979c75e2c2453bc6a
f24627f46ec64cae7a6fa9ee312c43d7
http://195.50.242.110:8080
http://beebeep.info/index.php
http://www.jikji.pe.kr/xe/files/attach/binaries/102/663/image.gif