韩国ERP供应商服务器被黑客入侵以传播Xctdoor恶意软件

An unnamed South Korean enterprise resource planning (ERP) vendor's product update server has been found to be compromised to deliver a Go-based backdoor dubbed Xctdoor.

一家未命名的韩国企业资源规划（ERP）供应商的产品更新服务器被发现被篡改，以传送一个名为Xctdoor的基于Go的后门。

The AhnLab Security Intelligence Center (ASEC), which identified the attack in May 2024, did not attribute it to a known threat actor or group, but noted that the tactics overlap with that of Andariel, a sub-cluster within the infamous Lazarus Group.

安全智能中心（ASEC）在2024年5月发现了这次攻击，并没有将其归因于已知的威胁行为者或组织，但指出了该战术与臭名昭著的Lazarus Group内的一个子集Andariel的重叠。

The similarities stem from the North Korean adversary's prior use of the ERP solution to distribute malware like HotCroissant – which is identical to Rifdoor – in 2017 by inserting a malicious routine into a software update program.

相似之处源于朝鲜对手此前利用ERP解决方案分发像HotCroissant这样的恶意软件 - 这与2017年将恶意程序插入软件更新程序中的Rifdoor是相同的。

In the recent incident analyzed by ASEC, the same executable is said to have been tampered with to execute a DLL file from a specific path using the regsvr32.exe process as opposed to launching a downloader.

据ASEC分析的最近的事件显示，相同的可执行文件据说已被篡改，以使用regsvr32.exe进程从特定路径执行DLL文件，而不是启动下载器。

The DLL file, Xctdoor, is capable of stealing system information, including keystrokes, screenshots, and clipboard content, and executing commands issued by the threat actor.

DLL文件Xctdoor能够窃取系统信息，包括按键、截图和剪贴板内容，并执行威胁行为者下达的命令。

"Xctdoor communicates with the [command-and-control] server using the HTTP protocol, while the packet encryption employs the Mersenne Twister (MT19937) algorithm and the Base64 algorithm," ASEC said.

ASEC表示：“Xctdoor使用HTTP协议与[命令与控制]服务器通信，而数据包加密采用Mersenne Twister（MT19937）算法和Base64算法。”

Also used in the attack is a malware called XcLoader, which serves as an injector malware responsible for injecting Xctdoor into legitimate processes (e.g., "explorer.exe").

攻击中还使用了一种名为XcLoader的恶意软件，它作为一个注入器恶意软件，负责将Xctdoor注入到合法进程（例如“explorer.exe”）中。

ASEC said it further detected cases where poorly secured web servers have been compromised to install XcLoader since at least March 2024.

ASEC表示，他们进一步检测到自2024年3月以来，已经有一些安全性较差的Web服务器被入侵以安装XcLoader。

The development comes as the another North Korea-linked threat actor referred to as Kimusky has been observed employing a previously undocumented backdoor codenamed HappyDoor that has been put to use as far back as July 2021.

这一发展是另一个与朝鲜有关的威胁行为者Kimusky被观察到使用一个名为HappyDoor的未经记录的后门，此后门至少自2021年7月以来一直在使用。

Attack chains distributing the malware leverage spear-phishing emails as a starting point to disseminate a compressed file, which contains an obfuscated JavaScript or dropper that, when executed, creates and runs HappyDoor alongside a decoy file.

分发恶意软件的攻击链利用鱼叉式网络钓鱼电子邮件作为传播的起点，其中包含一个经过混淆的JavaScript或分发器的压缩文件，当执行时，将创建和运行HappyDoor并附带一个诱饵文件。

HappyDoor, a DLL file executed via regsvr32.exe, is equipped to communicate with a remote server over HTTP and facilitate information theft, download/upload files, as well as update and terminate itself.

HappyDoor是通过regsvr32.exe执行的DLL文件，它可以通过HTTP与远程服务器通信，促进信息窃取，下载/上传文件，以及更新和终止自身。

It also follows a "massive" malware distribution campaign orchestrated by the Konni cyber espionage group (aka Opal Sleet, Osmium, or TA406) targeting South Korea with phishing lures impersonating the national tax service to deliver malware capable of stealing sensitive information, security researcher Idan Tarab said.

这还是由俄罗斯网络间谍组织Konni（又称Opal Sleet、Osmium或TA406）组织的“大规模”恶意软件分发活动之后，该组织冒充国家税务服务向韩国发送网络钓鱼诱饵，传送能够窃取敏感信息的恶意软件，安全研究员Idan Tarab表示。

参考资料

[1]https://thehackernews.com/2024/07/south-korean-erp-vendors-server-hacked.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：韩国ERP供应商服务器被黑客入侵以传播Xctdoor恶意软件