Defense and manufacturing organizations across South Korea have been subjected to attacks deploying the new Xctdoor malware through a hacked South Korean enterprise resource planning software update server, echoing a technique previously leveraged by North Korean state-sponsored advanced persistent threat operation and Lazarus Group sub-cluster Andariel to facilitate the delivery of the HotCroissant and Riffdoor backdoors, according to The Register.
Attackers used the Regsvr32.exe process to compromise the ERP update program with a routine that would execute the Xctdoor DLL, which could enable not only the exfiltration of information, including usernames, computer names, and malware PID, but also allow command execution, keylogging, clipboard logging, screenshot capturing, and drive data transmission, a report from the AhnLab Security Intelligence Center revealed.
Such a threat should prompt organizations to be more vigilant of email attachments and executable files from questionable sources, as well as adopt more robust asset management programs and timely vulnerability remediation activities, said ASEC.
