Attackers exploited vulnerabilities in an Apache Tomcat web server to distribute malicious code, as Tomcat’s 2013 release date makes it susceptible to various attacks.
The attackers gained access to the server and installed backdoors, enabling them to maintain control, and proxy tools, potentially rerouting traffic for malicious purposes.
The Andariel group has been using a Remote Access Trojan (RAT) named Nestdoor since at least May 2022.
As this C++ malware can be remotely controlled by attackers to perform actions like file transfer, command execution, and keylogging, it also uses obfuscation techniques to hinder analysis.
In June 2022, similar features were seen in “Unknown RAT” malware that was spread through the Log4Shell vulnerability (CVE-2021-44228) in VMware Horizon products. This suggests that there may be a link.
The Andariel group, linked to Lazarus, distributed TigerRAT in May 2022 by exploiting Log4Shell in VMware Horizon, and in early 2023, Nestdoor was used alongside TigerRAT, sharing the same C&C server, indicating a connection between Nestdoor and TigerRAT attacks, including those targeting domestic companies and Log4Shell exploits.
The specific Nestdoor distribution method remains unclear, but a case from early 2024 involved malware disguised as an OpenVPN installer.
Running “OpenVPN Installer.exe” loaded “FirewallAPI.dll,” a launcher that placed “openvpnsvc.exe” (Nestdoor malware) in the system’s Resource folder. Nestdoor then used the task scheduler for persistence and communicated with a C&C server.
Attackers are using a modified version of a known exploit, similar to the OpenVPN case. While the communication protocol’s commands and functionalities have been reduced, the core structure, including obfuscation and initialization routines, remains largely unchanged.
This new variant offers the same core functionalities as its predecessor, allowing attackers to manipulate files and establish reverse shell connections for complete control over compromised systems.
Andariel cybercrime group is deploying new Go-based backdoors for each attack, with the latest being Dora RAT, which is a simple remote access tool offering reverse shell and file transfer functionalities and comes in two variants: a standalone executable and one that injects itself into the explorer.exe process.
According to AhnLab Security Intelligence Center, attackers use a WinRAR SFX archive (spsvc.exe) containing a legitimate program (OneDriverStandaloneUpdate.exe) and a malicious DLL (version.dll).
When run from the user’s AppData directory, the program attempts to load the DLL, which decrypts and injects embedded Dora RAT malware into the explorer.exe process.
To further evade detection, some Dora RAT variants are even signed with a valid certificate from a compromised company.
In addition to the basic Dora RAT malware, attackers used Nestdoor to install a keylogger/clipboard logger that captured user inputs and clipboard data, as another malware functioned as a file stealer, potentially targeting a large amount of data.
The majority of additional malicious tools were proxy tools, including some custom-made by the attacker and some open-source Socks5 tools.
Interestingly, one proxy matched a tool previously identified in a Lazarus group attack, suggesting the attacker might be reusing code.
