North Korean defectors, journalists who cover North
Korea-related news, and entities in South Korea are being zeroed in
on by a nation-state-sponsored advanced persistent threat (APT) as
part of a new wave of highly-targeted surveillance attacks.
Russian cybersecurity firm Kaspersky attributed the
infiltrations to a North Korean hacker group tracked as
ScarCruft, also known as APT37[1], Reaper Group,
InkySquid, and Ricochet Chollima.
“The actor utilized three types of malware with similar
functionalities: versions implemented in PowerShell, Windows
executables and Android applications,” the company’s Global
Research and Analysis Team (GReAT) said[2]
in a new report published today. “Although intended for different
platforms, they share a similar command and control scheme based on
HTTP communication. Therefore, the malware operators can control
the whole malware family through one set of command and control
scripts.”
Likely active since at least 2012, ScarCruft is known for
targeting public and private sectors situated in South Korea with
an aim to plunder sensitive information stored in the compromised
systems, and has been previously observed using a Windows-based
backdoor called RokRAT[3].
The primary initial infection vector used by APT37 is
spear-phishing, in which the actor sends an email to a target that
is weaponized with a malicious document. In August 2021, the threat
actor was unmasked using two exploits in the Internet Explorer web
browser to infect victims with a custom implant known as BLUELIGHT[4]
by staging a watering hole attack against a South Korean online
newspaper.
The case investigated by Kaspersky is both similar and different
in some ways. The actor reached out to the victim’s associates and
acquaintances using stolen Facebook account credentials to
establish initial contact, only to follow it up with a
spear-phishing email enclosing a password-protected RAR archive
that includes a Word document. This decoy document claims to be
about “North Korea’s latest situation and our national
security.”
Opening the Microsoft Office document triggers the execution of
a macro and the decryption of the next-stage payload embedded
within the document. The payload, a Visual Basic Application (VBA),
contains a shellcode that, in turn, retrieves from a remote server
the final-stage payload with backdoor capabilities.
Additional techniques uncovered by GReAT on one of the infected
victims show that post its breach on March 22, 2021, the operators
managed to collect screenshots for a period of two months between
August and September, before deploying a fully-featured malware
called Chinotto in late August to control the device and exfiltrate
sensitive information to a command-and-control (C2) server.
What’s more, Chinotto comes with its own Android variant to
achieve the same goal of spying on its users. The malicious APK
file, delivered to the recipients via a smishing attack, prompts
users to grant it a wide range of permissions during the
installation phase, enabling the app to amass contact lists,
messages, call logs, device information, audio recordings, and data
stored in apps such as Huawei Drive, Tencent WeChat (aka Weixin),
and KakaoTalk.
Kaspersky said it worked with South Korea’s emergency response
teams to take down ScarCruft’s attack infrastructure, adding it
traced the roots of Chinotto in PoorWeb[5], a backdoor previously
attributed to use by the APT group.
“Many journalists, defectors and human rights activists are
targets of sophisticated cyberattacks,” the researchers said.
“Unlike corporations, these targets typically don’t have sufficient
tools to protect against and respond to highly skilled surveillance
attacks.”
References
Read more https://thehackernews.com/2021/11/new-chinotto-spyware-targets-north.html