Analysis of APT Attack Cases Using Dora RAT Against Korean Companies (Andariel Group)

2024-05-30 Ahnlab

https://asec.ahnlab.com/en/66088/

Thumbnail for Analysis of APT Attack Cases Using Dora RAT Against Korean Companies (Andariel Group)

AhnLab attributes recent intrusions against Korean educational, manufacturing, and construction organizations to Andariel. The cases include compromise of an outdated Apache Tomcat server to deploy backdoors and proxy tools, continued use of Nestdoor, and a new Go-based backdoor the attacker named Dora RAT. Dora RAT supports reverse shell and file upload/download, including a variant loaded through a WinRAR SFX package where version.dll injects the payload into explorer.exe. The campaign also used keylogger, clipboard logger, infostealer, and proxy components, with some malware signed by a valid UK software-developer certificate.

Indicators of Compromise

Type Value First Seen Last Seen
HASH 7416ea48102e2715c87edd49ddbd1526 2024-05-16 2024-07-25
HASH a2aefb7ab6c644aa8eeb482e27b2dbc4 2024-05-16 2024-07-25
HASH 33b2b5b7c830c34c688cf6ced287e5be 2024-05-16 2024-07-25
HASH e7fd7f48fbf5635a04e302af50dfb651 2024-05-16 2024-07-25
HASH 951e9fcd048b919516693b25c13a9ef2 2024-05-16 2024-05-30
HASH d92a317ef4d60dc491082a2fe6eb7a70 2024-05-16 2024-05-30
HASH 094f9a757c6dbd6030bc6dae3f8feab3 2024-05-16 2024-05-30
HASH 5df3c3e1f423f1cce5bf75f067d1d05c 2024-05-16 2024-05-30
HASH 468c369893d6fc6614d24ea89e149e80 2024-05-16 2024-05-30
HASH 4bc571925a80d4ae4aab1e8900bf753c 2024-05-16 2024-05-30
HASH afc5a07d6e438880cea63920277ed270 2024-05-16 2024-05-30
HASH fee610058c417b6c4b3054935b7e2730 2024-05-16 2024-05-30
HASH 5e00df548f2dcf7a808f1337f443f3d9 2024-05-16 2024-05-30
DOMAIN kmobile.bestunif.com 2024-05-16 2024-05-30
IPv4 209.127.19.223 2024-05-16 2024-05-30
IPv4 45.58.159.237 2024-05-16 2024-05-30
IPv4 206.72.205.117 2024-05-16 2024-05-30
IPv4 4.246.149.227 2023-08-22 2024-05-30

Related Actors

First seen: Jul 2017
Last seen: May 2026

Related Reports

« Back