Baddies hijack Korean ERP vendor's update systems to spew malware

Notorious 'Andariel' crew takes a bite of HotCroissant backdoor for fresh attack

A South Korean ERP vendor's product update server has been attacked and used to deliver malware instead of product updates, according to local infosec outfit AhnLab.

A Monday post by AhnLab's Security intelligence Center (ASEC) didn't name the ERP vendor, but noted the attacker's tactics resemble those used by the North-Korea-linked Andariel group – a subsidiary of the Lazarus Group.

ASEC's researchers wrote that Andariel has form installing backdoors named HotCroissant and Riffdoor, and has been observed targeting ERP systems by altering ClientUpdater.exe so it delivers evil updates.

In the recent incident detected by ASEC, attackers inserted a routine to execute a DLL from a specific path using the Regsvr32.exe process. The Korean researchers named that DLL Xctdoor and rated the malware as "capable of stealing system information and executing commands from the threat actor." They suggested that's likely possible due to an attack on an ERP's update server.

"Threat actors can control infected systems and exfiltrate information through this malware," noted ASEC.

"The ultimately executed Xctdoor is a backdoor that transmits basic information such as the username, computer name, and the malware's PID to the C&C server and can execute commands received from it," the researchers wrote. "Furthermore, it supports information theft functions such as screenshot capture, keylogging, clipboard logging, and transmitting drive information."

Andariel primarily attacks financial institutions, government entities and defense contractors, often seeking to steal funds or sensitive information, but has also been known to branch out to healthcare and other areas.

The latest attacks targeted the defense sector, but came within months of attacks on other industries including manufacturing,.

"Users must be particularly cautious against attachments in emails from unknown sources and executable files downloaded from web pages," urged ASEC. "Security administrators must enhance monitoring of asset management programs and apply patches for any security vulnerabilities in the programs." ®

More about


Send us news

Other stories you might like