Xctdoor Malware Exploits IIS Servers by Injecting Malicious Code

Unidentified attackers compromised a Korean ERP solution, exploiting a vulnerability to gain access to the update server, which allowed them to distribute malware disguised as legitimate updates, potentially targeting the Korean defense and manufacturing industries. 

The malware, similar to the Andariel group’s 2017 HotCroissant attack, injects malicious code into the ERP update program and uses the string “Xct” during development, leading to its classification as Xctdoor. 

The Andariel subgroup, linked to the Lazarus group, used the Rifdoor backdoor in attacks between November 2015 and early 2016. In 2017, they switched to a variant identified as identical to the Lazarus group’s HotCroissant backdoor. 

 The downloader routine inserted into the ERP update program

This variant exploited a Korean ERP solution’s update program, “ClientUpdater.exe,”  to download and execute additional malicious payloads. The downloaded malware was the HotCroissant backdoor, indicating its continued use in attacks since 2017.  

Attackers compromised an ERP system’s update server in May 2024. A malicious routine was inserted into the update program to execute a DLL through Regsvr32.exe, which identified itself as Xctdoor, steals system information, and awaits commands. 

The execution routine inserted into the ERP update program

Upon execution, Xctdoor injects itself into common processes and copies itself to a hidden location within Microsoft Edge’s settings folder. A startup shortcut using Regsvr32.exe ensures persistence by loading Xctdoor through a seemingly legitimate file. 

A new attack campaign leverages XcLoader, a malware injector, in both Go and C versions to inject “roaming.dat” into explorer.exe, which ultimately executes Xctdoor, a backdoor that steals information (username, computer name, etc.) and transmits it to the attacker’s server. 

It can also capture screenshots, log keystrokes and clipboard data, and steal drive information. Communication with the command and control server utilizes HTTP with Mersenne Twister and Base64 encryption.  

ctdoor’s C&C communication packets

Attackers targeted outdated Windows IIS web servers (version 8.5) in March 2024, likely exploiting vulnerabilities or misconfigurations to install XcLoader malware. 

This malware injects malicious code (possibly the Xcdoor backdoor) into processes like explorer.exe, where the attackers also retrieve system information (ipconfig, systeminfo, etc.) and potentially install a web shell for further control. 

The path where the malware logs its activities

XcLoader logged activity to a path suggesting a pre- compromised web server and used Ngrok, a tunneling tool, to potentially enable remote access via RDP for further exploitation. 

ASEC has identified attacks targeting the Korean defense and manufacturing sectors since at least April 2024, as the attackers exploited a vulnerability in a Korean ERP solution to deploy XcLoader, an injector malware, which injects Xcdoor, a backdoor, into victim systems. 

It can steal various system information and receive commands from the attacker, as users are advised to be cautious of emails and downloaded files. 

Security administrators should patch vulnerabilities and update antivirus software for Indicators of Compromise (IoCs), including file hashes, behavior detections, and C&C server addresses.  

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here