Full Report
Who is knocking at the Dohdoor? Digital intruders with possible links to North Korea have been infecting US education and healthcare sectors with a never-before-seen backdoor since at least December, according to security researchers.…
Analysis Summary
# Threat Actor: UAT-10027 (Suspected North Korean Group)
## Attribution & Identity
* **Attribution:** Possible links to North Korea are suspected, based on similarities to Lazarus Group and other Pyongyang-backed gangs. Cisco Talos assigns this attribution with low confidence.
* **Known Aliases and Associated Groups:** Tracked by Talos as **UAT-10027**. Shares technical overlap with **Lazarus Group** malware (e.g., Lazarloader).
## Activity Summary
* **Recent Campaigns:** Observed infecting US education and healthcare sectors with a never-before-seen backdoor named **Dohdoor** since at least December (of the reporting year).
* **Operations:** Attacks involve a multi-stage infection chain leading to installation of the Dohdoor backdoor, which then downloads and executes a Cobalt Strike Beacon payload into memory.
## Tactics, Techniques & Procedures
* **Initial Access:** Likely via social engineering and phishing emails.
* **Execution/Defense Evasion:**
* Uses a PowerShell downloader executing a Windows batch script dropper from a remote staging server.
* Employs Dynamic-Link Library (DLL) sideloading to execute malicious DLLs named "propsys.dll" or "batmeter.dll".
* **Process Hollowing:** Used to inject the final payload into a legitimate Windows binary.
* **EDR Bypass:** Uses an NTDLL unhooking technique to bypass EDR monitoring by restoring system call stubs through user mode hooks in `ntdll.dll`.
* **Command and Control (C2):**
* Sets up C2 domains using Cloudflare infrastructure.
* Uses **DNS-over-HTTPS (DoH)** to resolve C2 IP addresses, making outbound traffic appear as legitimate HTTPS traffic and bypass DNS security tools.
* **MITRE ATT&CK Overlaps:** Techniques similar to Lazarus Group's Lazarloader, specifically NTDLL unhooking capabilities.
## Targeting
* **Sectors:** US Education (including universities connected to other institutions) and Healthcare (specifically elderly care facilities).
* **Geography:** United States.
* **Victims:** Several educational institutions and at least one healthcare facility focused on elderly care.
## Tools & Infrastructure
* **Malware Families Used:** **Dohdoor** (new backdoor/loader), **Cobalt Strike Beacon** (secondary payload).
* **Infrastructure (C2, domains, IPs):** C2 infrastructure leverages **Cloudflare** for domain setup/hosting and utilizes **DNS-over-HTTPS (DoH)** for communications concealment.
## Implications
The actor is leveraging new, sophisticated techniques (Dohdoor, NTDLL unhooking, DoH/Cloudflare infrastructure) to achieve persistence. While sharing technical overlaps with Lazarus, the current focus on critical infrastructure sectors like education and healthcare suggests potential objectives differing from Lazarus' typical focus on cryptocurrency or defense. The motivation is assessed as likely **financial gain**.
## Mitigations
* Monitor for anomalous PowerShell activity used for initial execution and loading.
* Implement detection for DLL sideloading, particularly involving `propsys.dll` or `batmeter.dll`.
* Deploy security solutions capable of detecting EDR bypass techniques, such as monitoring `ntdll.dll` API call integrity or monitoring for process hollowing.
* Monitor and potentially restrict outbound DNS-over-HTTPS (DoH) traffic from endpoints that is not directed to trusted resolvers, as this is used to conceal C2 communication.