Dora RAT | |
Type of Malware | Backdoor |
Country of Origin | North Korea |
Date of initial activity | 2024 |
Associated Groups | Andariel |
Targeted Countries | South Korea |
Motivation | The Andariel group initially launched attacks to acquire information related to national security, but now they have also been attacking for financial gain. |
Attack vectors | The Andariel Group use spear phishing or watering hole attacks and exploit vulnerabilities in software during the initial access. There have also been circumstances of the Andariel group exploiting additional vulnerabilities in the attack process to distribute malware to internal networks. |
Targeted systems | Windows |
Variants | Backdoor/Win.DoraRAT.C5610712 (2024.04.09.03) |
Overview
The North Korea-linked threat actor Andariel has been observed using a new Golang-based backdoor called Dora RAT in attacks targeting educational institutes, manufacturing firms, and construction businesses in South Korea. Dora RAT is a relatively simple malware strain that supports reverse shell and file download/upload functionalities. The identified malware has two variants: one operates as a standalone executable file, while the other functions by being injected into the explorer.exe process.
Targets
Educational institutes, manufacturing firms, and construction businesses in South Korea.
How they operate
The Dora RAT malware exhibits two distinct operational modes: one functions as a standalone executable file, whereas the other executes through injection into the explorer.exe process. The executable, “spsvc.exe,” packaged in a WinRAR SFX format, contains both a legitimate program, “OneDriverStandaloneUpdate.exe,” and the injector malware, “version.dll.” Upon execution, these components are installed in the “%APPDATA%” directory. When “OneDriverStandaloneUpdate.exe” is initiated, it loads “version.dll” from the same location to execute its malicious functions. The “version.dll” component decrypts data from an internal resource, which comprises Dora RAT, and subsequently injects this malware into the explorer process.
Additionally, the attacker has employed a valid certificate to sign and distribute the malware, thereby enhancing its credibility. Notably, certain strains of Dora RAT utilized in these attacks have been authenticated with a legitimate certificate issued by a software developer based in the United Kingdom.
Significant Malware Campaigns
- The Andariel group has recently started to create a new backdoor malware strain whenever they launch an attack campaign, developing most of the malware strains through the Go language. The newly discovered malware strain also developed using Go and was named “Dora RAT” by the attacker. (May 2024)
