Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Dora RAT (Backdoor) – Malware

June 6, 2024
Reading Time: 3 mins read
in Malware
Dora RAT (Backdoor) – Malware

Dora RAT

Type of Malware

Backdoor

Country of Origin

North Korea

Date of initial activity

2024

Associated Groups

Andariel

Targeted Countries

South Korea

Motivation

The Andariel group initially launched attacks to acquire information related to national security, but now they have also been attacking for financial gain.

Attack vectors

The Andariel Group use spear phishing or watering hole attacks and exploit vulnerabilities in software during the initial access. There have also been circumstances of the Andariel group exploiting additional vulnerabilities in the attack process to distribute malware to internal networks.

Targeted systems

Windows

Variants

Backdoor/Win.DoraRAT.C5610712 (2024.04.09.03)

Overview

The North Korea-linked threat actor Andariel has been observed using a new Golang-based backdoor called Dora RAT in attacks targeting educational institutes, manufacturing firms, and construction businesses in South Korea. Dora RAT is a relatively simple malware strain that supports reverse shell and file download/upload functionalities. The identified malware has two variants: one operates as a standalone executable file, while the other functions by being injected into the explorer.exe process.

Targets

Educational institutes, manufacturing firms, and construction businesses in South Korea.

How they operate

The Dora RAT malware exhibits two distinct operational modes: one functions as a standalone executable file, whereas the other executes through injection into the explorer.exe process. The executable, “spsvc.exe,” packaged in a WinRAR SFX format, contains both a legitimate program, “OneDriverStandaloneUpdate.exe,” and the injector malware, “version.dll.” Upon execution, these components are installed in the “%APPDATA%” directory. When “OneDriverStandaloneUpdate.exe” is initiated, it loads “version.dll” from the same location to execute its malicious functions. The “version.dll” component decrypts data from an internal resource, which comprises Dora RAT, and subsequently injects this malware into the explorer process. Additionally, the attacker has employed a valid certificate to sign and distribute the malware, thereby enhancing its credibility. Notably, certain strains of Dora RAT utilized in these attacks have been authenticated with a legitimate certificate issued by a software developer based in the United Kingdom.

Significant Malware Campaigns

  • The Andariel group has recently started to create a new backdoor malware strain whenever they launch an attack campaign, developing most of the malware strains through the Go language. The newly discovered malware strain also developed using Go and was named “Dora RAT” by the attacker. (May 2024)
References:
  • Analysis of APT Attack Cases Using Dora RAT Against Korean Companies (Andariel Group)
Tags: AndarielBackdoorDora RATEducational institutesGolangMalwaremanufacturing firmsNorth KoreaSouth Korea
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

Linux Core Dump Flaws Risk Password Leaks

GitHub Code Flaw Replicated By AI Models

Google Script Used In New Phishing Scams

EDDIESTEALER Uses Fake CAPTCHAs for Stealing

Fake AI Apps Drop Ransomware And Malware

OneDrive Flaw Gives Sites Full Data Access

Subscribe to our newsletter

    Latest Incidents

    Covenant Health Cyberattack Shuts Hospitals

    Moscow DDoS Attack Cuts Internet For Days

    Puerto Rico’s Justice Department Cyberattack

    State Actors Hit ConnectWise ScreenConnect

    Ivanti Flaw Hits NHS Staff and Patient Data

    Amalgamated Sugar Data Breach Exposes SSNs

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial