Organizations in the manufacturing, construction, and education sectors across South Korea have been targeted by North Korean state-sponsored advanced persistent threat operation and Lazarus Group sub-cluster Andariel, also known as Silent Chollima, Nickel Hyatt, and Onyx Sleet, in attacks spreading the novel Dora RAT malware with reverse shell and file upload and download support, The Hacker News reports.
Andariel exploited an old vulnerable Apache Tomcat instance to facilitate the distribution of Dora RAT, with one of the malware strains found to have a valid certificate from a UK software developer, a report from the AhnLab Security Intelligence Center revealed.
Aside from Dora RAT, intrusions of Andariel also involved the deployment of the Nestdoor malware with command execution, reverse shell launching, and clipboard data and keystroke capturing capabilities, as well as a SOCKS5 proxy and a custom information-stealing malware, according to the report.
"[Andariel] initially launched attacks to acquire information related to national security, but now they have also been attacking for financial gain," said researchers.