Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Xctdoor (Backdoor) – Malware

January 28, 2025
Reading Time: 5 mins read
in Malware
Xctdoor (Backdoor) – Malware

Xctdoor

Type of Malware

Backdoor

Country of Origin

North Korea

Date of initial activity

2024

Targeted Countries

South Korea

Associated Groups

Andariel (APT45)

Motivation

Cyberwarfare

Attack Vectors

Software Vulnerabilities

Targeted Systems

Windows

Overview

The Xctdoor malware is a sophisticated backdoor employed in recent cyberattacks targeting South Korean defense and manufacturing industries. Discovered in 2024 by the AhnLab Security Intelligence Center (ASEC), this malware has been linked to the Andariel group, a known subgroup of the infamous Lazarus group. The attackers infiltrated critical systems through vulnerabilities in Korean ERP solutions and web servers, enabling them to distribute malware and gain unauthorized control over company networks. These breaches are part of a larger pattern of advanced persistent threats (APTs) orchestrated by North Korean-linked cyber groups, which are increasingly focusing on strategic industries. Xctdoor’s method of operation highlights the growing sophistication of malware delivery mechanisms. The attackers employed a strategy that involved inserting malicious routines directly into update programs, such as ClientUpdater.exe, a method reminiscent of the group’s 2017 attacks using the HotCroissant backdoor. This tactic allows the malware to propagate within the victim’s network, bypassing traditional security defenses by exploiting trusted update mechanisms. In addition, Xctdoor’s use of the Go programming language, a notable shift from the more common C-based malware, demonstrates the evolving nature of these attacks, making detection and analysis more challenging. Once deployed, Xctdoor functions as a versatile backdoor, granting attackers the ability to exfiltrate sensitive data, including screenshots, keystrokes, and clipboard content, while also executing commands from a remote command-and-control (C&C) server. The malware’s communication with these servers is encrypted, adding another layer of complexity to the attacks. With the capacity to remain hidden in compromised systems for extended periods, Xctdoor poses a significant threat to organizations in critical sectors. These attacks underline the urgency for businesses to adopt proactive cybersecurity measures, including regular patching and heightened monitoring of enterprise software solutions.

Targets

Information

How they operate

The initial infection vector of Xctdoor is often through the exploitation of vulnerable software systems, particularly Korean ERP solutions. Attackers insert malicious routines into update programs, such as ClientUpdater.exe, enabling the malware to propagate within corporate networks without raising immediate suspicion. This tactic is reminiscent of the 2017 HotCroissant backdoor attack, also linked to the Andariel group. However, Xctdoor has shown advancements in both its delivery mechanism and technical complexity. One significant development is its use of the Go programming language for certain components, making detection and analysis more difficult for traditional security tools that are optimized for C-based malware. Once inside a system, Xctdoor establishes persistence by leveraging Windows utilities like Regsvr32.exe to execute its malicious payload. It copies itself into the system’s startup folder and modifies Registry Run keys, ensuring it runs automatically after a reboot. The malware is designed to inject itself into legitimate processes such as taskhost.exe or explorer.exe, allowing it to evade detection by security solutions that may overlook these trusted processes. Additionally, Xctdoor can establish remote control over infected systems, allowing attackers to execute commands, steal data, and maintain long-term access. Xctdoor’s versatility extends to its extensive information-gathering capabilities. It is equipped with functions to capture screenshots, log keystrokes, monitor clipboard data, and collect system information. These abilities allow attackers to extract sensitive data, including usernames, passwords, and confidential business information. The malware communicates with C&C servers via HTTP, using Mersenne Twister and Base64 encryption to obfuscate its traffic. This encryption makes it harder for network monitoring tools to detect malicious communications, further enhancing the malware’s stealth. In recent cases, Xctdoor has also been deployed in attacks against vulnerable web servers, particularly outdated versions of Windows IIS. By exploiting poor configurations or unpatched software, attackers are able to install XcLoader, an injector malware that facilitates the execution of Xctdoor. Once injected into legitimate processes, Xctdoor can exfiltrate valuable data and execute further malicious activities under the guise of regular system operations. This method of operation illustrates the evolving sophistication of malware attacks, where attackers continuously refine their techniques to bypass modern security measures.

MITRE Tactics and Techniques

1. Initial Access (T1078, T1190)
Exploitation of Vulnerability: Xctdoor gained initial access by exploiting vulnerabilities in Korean ERP solutions and web servers (specifically outdated Windows IIS servers). This involves exploiting misconfigurations or unpatched software. Valid Accounts: Attackers may also gain initial access using stolen credentials to compromise the ERP systems, granting them entry to internal networks.
2. Execution (T1203, T1059.001)
Exploitation for Client Execution: Xctdoor malware leverages Regsvr32.exe to execute malicious DLLs and run the malware within the system. This technique allows attackers to bypass some security measures and execute their payload. Command and Scripting Interpreter (PowerShell): In some cases, Xctdoor uses PowerShell commands for script execution and system information gathering.
3. Persistence (T1547.001)
Registry Run Keys/Startup Folder: Xctdoor achieves persistence by copying itself into the system’s startup folder and modifying Registry Run keys to ensure it runs after a system reboot. This allows the malware to survive even after system reboots.
4. Privilege Escalation (T1055)
Process Injection: Xctdoor uses process injection techniques to inject its malicious code into legitimate processes, such as taskhost.exe or explorer.exe, allowing the malware to execute with elevated privileges and evade detection.
5. Defense Evasion (T1218.011, T1070.004)
Signed Binary Proxy Execution (Regsvr32): Xctdoor abuses Regsvr32.exe, a legitimate Windows utility, to execute malicious DLLs without triggering standard security alerts. This technique helps it evade detection by security solutions. Indicator Removal on Host: In some cases, Xctdoor may attempt to clean logs or delete traces of its activity to avoid detection and forensics analysis.
6. Credential Access (T1056.001)
Keylogging: Xctdoor includes a keylogging capability, which allows attackers to capture user credentials and other sensitive information by recording keystrokes.
7. Discovery (T1082, T1016)
System Information Discovery: The malware collects basic system information such as computer name, username, and running processes, sending this data back to the command-and-control (C&C) server. System Network Configuration Discovery: Commands like ipconfig are used to gather network configuration details, which helps attackers understand the network layout and find further attack vectors.
8. Collection (T1113, T1115, T1005)
Screen Capture: Xctdoor has the capability to capture screenshots from the infected system, providing attackers with visual access to sensitive data. Clipboard Data: The malware monitors and captures clipboard data, allowing the exfiltration of potentially sensitive information copied by the user. Data from Local System: Xctdoor also collects various types of information from local drives, including file metadata and potentially valuable data for exfiltration.
9. Command and Control (T1071.001, T1095)
Web Protocols: Xctdoor communicates with its C&C server over HTTP using encrypted packets. This ensures that the communication blends with normal web traffic, making it harder to detect. Non-Application Layer Protocol (Mt19937): For encryption, Xctdoor employs the Mersenne Twister and Base64 algorithms to encrypt its C&C traffic, making it more difficult to analyze the communication.
10. Exfiltration (T1041)
Exfiltration Over C2 Channel: Xctdoor exfiltrates data such as screenshots, keylogs, and system information through the established C&C channel, using encrypted communications.  
References
  • Xctdoor Malware Used in Attacks Against Korean Companies (Andariel)
Tags: AhnLabAndarielAPT45BackdoorsMalwareNorth KoreaSouth KoreaXctdoor
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial