Xctdoor (computer virus)

2024: Servers of the South Korean manufacturer of ERP systems hacked. Now companies are attacking around the world

On July 1, 2024, the AhnLab SEcurve Intelligence Center (ASEC) reported that the servers of an unnamed South Korean manufacturer of ERP systems were hacked. After the invasion, attackers began to attack companies around the world, and the main targets are Korean defense and production enterprises.

It is reported that cyber attacks have been carried out since at least May 2024. Which grouping is behind the new scheme is not clear. However, ASEC experts emphasize that the tactics used are similar to the methods of Andariel hackers, which are associated with the Lazarus Group. The latter, in turn, is related to North Korea.

𝓲

Unsplash

As part of a cyber campaign, attackers hacked into an ERP platform update server. During the attack, the Regsvr32.exe process was used to process the DLL along a specific path. The detected DLL turned out to be malware: a backdoor identified as Xctdoor is disguised as this file. The malware is capable of stealing system information, including keystrokes, screenshots and the contents of the clipboard, as well as executing commands from attackers. The attack also uses a malicious ON called XcLoader, which acts as an injector responsible for injecting Xctdoor into legitimate processes (for example, explorer.exe).

ASEC experts emphasize that this cyber campaign first discovered a version of XcLoader in Go, while earlier similar attacks used a modification of XcLoader in C. The Xctdoor malware interacts with the command server via HTTP, and the Mersenne Twister (mt19937) and Base64 algorithms are used to encrypt packets. Vulnerabilities or configuration errors of Windows IIS 8.5 web servers may be exploited to spread malware.^[1]

Notes