KSystem ERP updater stole data
A Korean ERP updater was modified to launch Xctdoor through Regsvr32. ASEC linked the method to Andariel-style ERP update abuse against Korean companies.
Story
ASEC described a May 2024 attack against Korean companies in defense and manufacturing. The attacker appears to have abused a Korean ERP update server, then used the ERP update program as the trusted local execution path.
The changed program was ClientUpdater.exe. In the older 2017 pattern, Andariel inserted downloader logic into the ERP updater to fetch HotCroissant. In the 2024 case, ASEC saw a simpler routine that executed a DLL from a specific path with Regsvr32.exe.
The payload was Xctdoor, a Go DLL backdoor named from strings such as XctMain. It injected into processes including taskhost.exe, taskhostex.exe, taskhostw.exe, and explorer.exe, copied itself to an Edge package settings path as roaming.dat, and installed startup persistence.
This record stays scoped to the ERP update path. Public reporting did not prove a broad customer compromise or publish victim counts, but it did identify the affected mechanism, payload family, and Korean industrial target set.
Affected Artifacts
- Observed
- 2024-05-01 to 2024-05-31
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Hashes
-
- md5:ab8675b4943bc25a51da66565cfc8ac8
- md5:f24627f46ec64cae7a6fa9ee312c43d7
- md5:ad96a8f22faab8b9c361cfccc381cd28
- +3 more
Incident Context
- Motive
- Espionage Data Theft
- Attribution
- State
- Cause
- Server Compromise
- Transitive
- No
- Actor
- Andariel
- Actor Country
- North Korea
External References
- KSystem security breach prevention vulnerability inspection guidanceblog.ksystem.co.kr
- Xctdoor Malware Used in Attacks Against Korean Companies (Andariel)asec.ahnlab.com
Source record: proprietary/ksystem/meta.yaml