A threat actor has compromised an update server of an unnamed South Korean ERP vendor to distribute malware instead of legitimate updates, a recent report from AhnLab's Security Intelligence Center (ASEC) revealed.

While the researchers didn’t attribute the attacks to a particular threat actor, they said that the attack techniques bore similarities to TTPs employed by the Andariel group, a subsidiary of the North Korea-linked Lazarus Group.

Andariel has a history of installing backdoors known as HotCroissant and Riffdoor. The group's recent tactics involve tampering with the “ClientUpdater.exe” file of ERP systems to deliver malicious updates.

In an incident that took place in May 2024, the attackers inserted a routine to execute a DLL from a specific path using the Regsvr32.exe process, rather than inserting a downloader routine as seen in previous attacks.

The identified DLL, now classified as “Xctdoor,” is capable of stealing system information and executing commands from the attackers. Xctdoor, written in the Go language and executed via Regsvr32.exe, injects itself into processes like “taskhost.exe,” “taskhostex.exe”, “taskhostw.exe”, and “explorer.exe.” It then replicates itself to a specified path and ensures persistence by creating a startup shortcut file.

The recent attacks primarily targeted the defense sector, but similar breaches have been reported since earlier this year.

In March 2024, ASEC identified instances where South Korean manufacturing sector web servers were compromised to install the XcLoader malware responsible for injecting the Xcdoor backdoor into normal processes Xcdoor is capable of capturing system information such as screenshots, keylogs, clipboard data, and drive information, as well as executing commands issued by threat actors.

Notably, the attack involved both Go language and C language versions of XcLoader. Previously, only the C language version had been utilized. The attacks in March targeted Windows IIS web servers running version 8.5, which was released in 2013. This suggests that the attackers exploited poor configurations or vulnerabilities to propagate the malware.