Andariel gang hacked ERP server
An ERP server that managed South Korean business operations was breached, with its server being used to spread malware , AhnLab’s Information Security Center (ASEC) reported.
The ERP vendor was not named, but the attack tactics resembled those of the North Korea-linked Andariel group, a subsidiary of the Lazarus Group. Andariel is known for installing backdoors like HotCroissant and Riffdoor, and targeting ERP systems by modifying ClientUpdater.exe to deliver malicious updates.
In the recent incident, attackers used the Regsvr32.exe process to execute a DLL named Xctdoor, which is capable of stealing system information and executing commands from the attacker. ASEC rated the malware as highly capable, noting its ability to transmit information such as the username, computer name, and malware PID to a command-and-control server. Xctdoor also supports advanced information theft functions including screenshot capture, keylogging, clipboard logging, and drive information transmission.
Andariel typically targets financial institutions, government entities, and defense contractors with the aim of stealing funds or sensitive information. However, the group has also targeted other sectors like healthcare and manufacturing. The latest attacks specifically targeted the defense sector and occurred within months of attacks on other industries.
ASEC urged users to be cautious of email attachments from unknown sources and executable files downloaded from the web. Security administrators were advised to enhance monitoring of asset management programs and apply patches for security vulnerabilities to mitigate such risks.
