Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 917
- Points
- 113
The new malware is written in Golang and has a legal certificate from a British developer.
A group of cybercriminals Andariel, associated with North Korea, has recently been actively using the new Dora RAT virus (consonant with the name of a children's TV show), which is written in the Golang programming language and is used to attack educational institutions, manufacturing companies and construction firms in South Korea. This is reported in the report of the AhnLab Security Center (ASEC), published last week.
During attacks, attackers use keyloggers, data theft programs, various proxy tools, and other malicious software that allows you to manage infected systems and steal information from them.
To spread viruses, Andariel uses a vulnerable Apache Tomcat server running on version 2013. Outdated software makes systems vulnerable to multiple attacks.
The Andariel Group, also known as Nicket Hyatt, Onyx Sleet, and Silent Chollima, has been acting on behalf of North Korea since 2008. This is a division of the large hacker group Lazarus, known for its phishing attacks and the use of software vulnerabilities to penetrate the networks of many private and government agencies in different countries.
Although ASEC does not disclose details of the chain of attacks, it mentions the use of a modified Nestdoor virus that can execute remote server commands, upload and download files, capture clipboard and keyboard data, and perform proxy server functions.
The new Dora RAT virus used in the attacks is a simple malicious program with functions of a reverse shell and file upload / download. The attackers signed and distributed the virus using a valid certificate obtained from a British software developer.
Other malicious programs involved in the attacks include a keylogger installed through a simplified version of Nestdoor, as well as an information theft tool and a SOCKS5 proxy server, similar to the tool used by the Lazarus group in the ThreatNeedle campaign in 2021.
ASEC notes that Andariel is one of the most active North Korean groups, along with Kimsuky and Lazarus. Initially, their attacks were aimed at obtaining information related to national security, but now they also pursue financial goals.
A group of cybercriminals Andariel, associated with North Korea, has recently been actively using the new Dora RAT virus (consonant with the name of a children's TV show), which is written in the Golang programming language and is used to attack educational institutions, manufacturing companies and construction firms in South Korea. This is reported in the report of the AhnLab Security Center (ASEC), published last week.
During attacks, attackers use keyloggers, data theft programs, various proxy tools, and other malicious software that allows you to manage infected systems and steal information from them.
To spread viruses, Andariel uses a vulnerable Apache Tomcat server running on version 2013. Outdated software makes systems vulnerable to multiple attacks.
The Andariel Group, also known as Nicket Hyatt, Onyx Sleet, and Silent Chollima, has been acting on behalf of North Korea since 2008. This is a division of the large hacker group Lazarus, known for its phishing attacks and the use of software vulnerabilities to penetrate the networks of many private and government agencies in different countries.
Although ASEC does not disclose details of the chain of attacks, it mentions the use of a modified Nestdoor virus that can execute remote server commands, upload and download files, capture clipboard and keyboard data, and perform proxy server functions.
The new Dora RAT virus used in the attacks is a simple malicious program with functions of a reverse shell and file upload / download. The attackers signed and distributed the virus using a valid certificate obtained from a British software developer.
Other malicious programs involved in the attacks include a keylogger installed through a simplified version of Nestdoor, as well as an information theft tool and a SOCKS5 proxy server, similar to the tool used by the Lazarus group in the ThreatNeedle campaign in 2021.
ASEC notes that Andariel is one of the most active North Korean groups, along with Kimsuky and Lazarus. Initially, their attacks were aimed at obtaining information related to national security, but now they also pursue financial goals.
