Flash Notices

Flash Notice: Xctdoor Malware Targeting IIS Servers

Written by Marketing | Jul 8, 2024 1:53:20 PM

overview

This week, security researchers discovered that Xctdoor malware is actively targeting IIS servers to distribute additional malicious software. This attack has primarily affected the defense and manufacturing sectors by exploiting a Korean ERP solution. 

The attackers used a compromised Korean ERP update server to infiltrate systems, similar to methods used by the Andariel group. The Go-based Xctdoor malware injects itself into system processes and survives system reboots by utilizing startup shortcuts. It is capable of stealing system information and executing commands from a command and control (C&C) server. 

In March 2024, there was an attack on manufacturing sector web servers using XcLoader to propagate Xctdoor. By May 2024, attacks were focused on the defense sector using a modified approach involving Regsvr32.exe to run a malicious DLL.  

Unauthorized access to sensitive information can lead to significant data breaches, resulting in financial loss, reputational damage, and potential legal consequences. Organizations should be particularly concerned about Xctodoor’s ability to steal sensitive data, execute arbitrary commands, and evade detection.  

 

 

avertium's recommendationS

  • Email Vigilance - Be cautious with email attachments and downloads. 
  • System Monitoring - Increase monitoring of asset control systems. 
  • Security Updates - Apply all available security updates to IIS servers and ERP solutions. 
  • Patch Management - Ensure all systems and applications are kept up-to-date with the latest patches. 

 

 

INDICATORS OF COMPROMISE (IoCs)

MD5 

  • 09a5069c9cc87af39bbb6356af2c1a36 
  • 11465d02b0d7231730f3c4202b0400b8 
  • 235e02eba12286e74e886b6c99e46fb7 
  • 2e325935b2d1d0a82e63ff2876482956 
  • 375f1cc32b6493662a78720c7d905bc3 
  • 396bee51c7485c3a0d3b044a9ceb6487 
  • 41d5d25de0ca0fdc54c24c484f9f8f55 
  • 4f5e5a392b8a3e0cb32320ed1e8d0604 
  • 54d5be3a4eb0e31c0ba7cb88f0a8e720 
  • 6928fab25ac1255fbd8d6c1046653919 
  • 9a580aaaa3e79b6f19a2c70e89b016e3 
  • 9bbde4484821335d98b41b44f93276e8 
  • a42ae44761ce3294ce0775fe384d97b6 
  • ab8675b4943bc25a51da66565cfc8ac8 
  • ad96a8f22faab8b9c361cfccc381cd28 
  • b43a7dcfe53a981831ae763a9a5450fd 
  • b96b98dede8a64373b539f94042bdb41 
  • d787a33d76552019becfef0a4af78a11 
  • d852c3d06ef63ea6c6a21b0d1cdf14d4 
  • d938201644aac3421df7a3128aa88a53 
  • e554b1be8bab11e979c75e2c2453bc6a 
  • f24627f46ec64cae7a6fa9ee312c43d7 

SHA-1 

  • 16e0cc0f61c80e3d9d1eb4708c153b6b611e81af 
  • 3351a8e25e471e4704628e990525ceed1d79791b 
  • 4787366989231b23beaa6db3147929190aa0c896 
  • 73b3a3fa14b32dff0109cf1c05cdd9076aad1264 
  • afbd35ec6e045313a428c9ed125ce0ba6673cbe5 
  • c7c8a0e82718712b1ccaeb5ed9cd28b3f6301292 

SHA256 

  • 1417416ba94d9a0f3c34be4c529c2447de8db8785c6835851689f66e5b6c951d 
  • 3d4b90f520ed82ef886f0a38e1a621ead2d42fa3ef91a6083a484f3e361028e2 
  • 3e7715ac57003f8a80119ab348a7a7b260afde749cad3c56bd2d9ab931288f92 
  • 934622b6a764a3b4f2a0049c62e66b9ad65a7987c83c37879c6772a61760707e 
  • 9974b4befa2906a6925e786c47651319ed70e3b9fe1f76e25ae0ef81f6555996 
  • c61eca8cf14ce18a54616c3bbe17973a0c1ccca45bb1a2c4c13aa0c4c4996a7a 

IPv4 

  • 195[.]50[.]242[.]110 

URLs 

  • hxxp://beebeep[.]info/index[.]php: 
  • hxxp://www[.]jikji[.]pe[.]kr/xe/files/attach/binaries/102/663/image.gif: 

Domain 

  • beebeep[.]info 

Hostname 

  • www[.]jikji[.]pe[.]kr 

 

 

How Avertium is Protecting Our CUSTOMERS

  • Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:  
    • Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment). 
    • Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK). 
    • Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan). 
  • Fusion MXDR  is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts. 




 

SUPPORTING DOCUMENTATION

Xctdoor Malware Attacking IIS Servers To Distribute Malware - LevelBlue - Open Threat Exchange (alienvault.com) 

Xctdoor Malware Used in Attacks Against Korean Companies (Andariel) - ASEC BLOG (ahnlab.com) 

Xctdoor Malware Attacking IIS Servers To Distribute Malware (cybersecuritynews.com)