Xctdoor Malware Attacking IIS Servers To Distribute Malware

Threat actors target IIS servers, as most of the internet-based crucial applications and services are installed on these servers. Hackers find these attractive targets for penetrating different organizational systems and information databases.

Besides this, the widespread use of IIS in enterprise environments further lucrates the attackers more.

Cybersecurity researchers at AhnLab SEcurity Intelligence Center (ASEC) recently discovered that Xctdoor malware has been attacking the IIS servers to distribute malware.

Xctdoor Malware Attacking IIS Servers

An unidentified threat actor used a Korean ERP solution to attack update servers and web servers, targeting the defense and manufacturing industries.

This method of attack, which involves malware insertion into ERP upgrade programs, is similar to one employed by the Andariel group in 2017.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

The Xctdoor malware is similar to Rifdoor, a backdoor connected with Lazarus’s subgroup Andariel since 2015.

A Rifdoor variant called HotCroissant has been used in targeted attacks since 2017. The initial infection vector involved using the update program for a Korean ERP solution to distribute malware internally. 

A similar attack was observed in May 2024, but this time around, with a modified approach that employed Regsvr32.exe to run a malicious DLL, consequently pointing out that the threat actor’s strategies were changing. 

The Go-based DLL malware, Xctdoor, was probably spread through an ERP update server. It injects itself into system processes and survives by using startup shortcuts while utilizing XcLoader as well. 

This is complex malware that can steal system information and execute commands, demonstrating the threat actor’s advanced capability in compromising and evading systems.

The explorer.exe process in Windows is infected with a “roaming.dat” file, which can be found both as Go and C versions. It also contains Xctdoor which was inserted into this process.

It then sends the simple system details to the C&C server, performs the commands received, and incorporates sundry data exfiltration features. 

Mersenne Twister and Base64 algorithms are used for packet encryption of HTTP communication, ASEC lab said. 

XcLoader targeted Microsoft IIS 8.5 web servers that were susceptible in March 2024, probably via misconfigurations or vulnerabilities.

Recent attacks exploited a Korean ERP solution to spread malware, as per the modus operandi of the Andariel group.

May 2024 had a focus on defense, while March 2024 saw an attack on manufacturing sector web servers, infecting them with XcLoader.

This backdoor software is used to inject Xcdoor, which allows it to collect information about the system and execute commands.

The use of such mechanisms in carrying out online attacks is well known; these include web shells and Ngrok.

Users should be vigilant about email attachments and downloads, whereas management should monitor asset control systems closely, apply all available security updates, and keep their systems up-to-date.

IoCs

MD5:-

– 235e02eba12286e74e886b6c99e46fb7: Modified ERP update program – past case (ClientUpdater.exe)

– 396bee51c7485c3a0d3b044a9ceb6487: HotCroissant – Past Case (***Kor.exe)

– ab8675b4943bc25a51da66565cfc8ac8: Modified ERP update program – latest case (ClientUpdater.exe)

– f24627f46ec64cae7a6fa9ee312c43d7: Modified ERP update program – latest case (ClientUpdater.exe)

– 6928fab25ac1255fbd8d6c1046653919: XcLoader (XcExecutor.exe)

– 9a580aaaa3e79b6f19a2c70e89b016e3: XcLoader (icsvcext.dll)

– a42ae44761ce3294ce0775fe384d97b6: XcLoader (icsvcext.dll)

– d852c3d06ef63ea6c6a21b0d1cdf14d4: XcLoader (icsvcext.dll)

– 2e325935b2d1d0a82e63ff2876482956: XcLoader (settings. Lock)

– 4f5e5a392b8a3e0cb32320ed1e8d0604: XcLoader (test.exe)

– 54d5be3a4eb0e31c0ba7cb88f0a8e720: XcLoader (test.exe)

– b43a7dcfe53a981831ae763a9a5450fd: XcLoader (test.exe)

– e554b1be8bab11e979c75e2c2453bc6a: XcLoader (test.exe)

– 41d5d25de0ca0fdc54c24c484f9f8f55: XcLoader (settings. Lock)

– b96b98dede8a64373b539f94042bdb41: XcLoader (settings. Lock)

– 375f1cc32b6493662a78720c7d905bc3: XcLoader (settings.lock)

– d938201644aac3421df7a3128aa88a53: XcLoader (onedrive.dll)

– d787a33d76552019becfef0a4af78a11: XcLoader (onedrive.dll)

– 09a5069c9cc87af39bbb6356af2c1a36: XcLoader (onedrive.dll)

– ad96a8f22faab8b9c361cfccc381cd28: Xctdoor (******.***.Common.RegEx.dll)

– 9bbde4484821335d98b41b44f93276e8: Xctdoor (******.***.Common.RegEx.dll)

– 11465d02b0d7231730f3c4202b0400b8: Xctdoor (******.***.Common.RegEx.dll)

C&C Server Addresses:-

– 195.50.242[.]110:8080: HotCroissant

– hxxp://beebeep[.]info/index.php: Xctdoor

Download URL:-

– hxxp://www.jikji.pe[.]kr/xe/files/attach/binaries/102/663/image.gif: HotCroissant

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files