Malware Used in Attacks Against Korean Companies

July 1, 2024, 10:46 a.m.

Description

A recent analysis by ASEC discovered attacks exploiting a Korean ERP solution to distribute malware like XcLoader and Xctdoor. The attacks targeted Korean defense and manufacturing companies. The malware was propagated by compromising ERP update servers to install backdoors. Xctdoor captures system information and executes commands from threat actors.

External References

https://asec.ahnlab.com/en/67558/
https://otx.alienvault.com/pulse/6682838e9e0ffcf9b69b15bf
Tags
korea
2024-07-01
lazarus
andariel
xctdoor
xcloader
hotcroissant

Date

  • Created: July 1, 2024, 10:23 a.m.
  • Published: July 1, 2024, 10:23 a.m.
  • Modified: July 1, 2024, 10:46 a.m.

Indicators

  • 9974b4befa2906a6925e786c47651319ed70e3b9fe1f76e25ae0ef81f6555996
  • 934622b6a764a3b4f2a0049c62e66b9ad65a7987c83c37879c6772a61760707e
  • 3e7715ac57003f8a80119ab348a7a7b260afde749cad3c56bd2d9ab931288f92
  • 3d4b90f520ed82ef886f0a38e1a621ead2d42fa3ef91a6083a484f3e361028e2
  • 195.50.242.110
  • http://beebeep.info/index.php
  • http://www.jikji.pe.kr/xe/files/attach/binaries/102/663/image.gif
  • www.jikji.pe.kr
  • beebeep.info
Download all indicators here!

Attack Patterns

  • HotCroissant - S0431
  • Xctdoor
  • XcLoader
  • Andariel

Additional Informations

  • Defense
  • Manufacturing
  • Korea, Democratic People's Republic of