A North Korean threat group, dubbed APT37, is targeting South Korean defectors, journalists, and human rights activists. The group has been using a new multi-platform malware named Chinotto to target its victims.
What has happened?
APT37 used spear-phishing emails and smishing attacks against South Korean to distribute Chinotto malware, said Kaspersky. The goal is to surveil victims' mobile and desktop.
The malware is injected into victims' systems months after the initial infection.
- In one case, the attackers waited for around six months before delivering Chinotto to exfiltrate sensitive data.
- Hackers attempt to steal victims’ credentials to infect other targets via email and social media.
- The host was believed to be compromised on March 22 and the malware was delivered in August.
About the Chinotto malware
Chinotto is a highly customizable malware and can allow threat actors to control targeted devices and spy on users.
- The malware is capable of capturing screenshots, deploying additional payloads, and collecting data.
- The malware developers regularly change the malware capabilities to avoid detection and create custom variants based on the victim’s scenario.
- It is believed that if a victim’s host and mobile are both infected at the same time, the attackers may overcome two-factor authentication by stealing SMS messages from the smartphone.
Both Windows and Android systems on target
Chinotto malware is capable of infecting both Windows and Android devices.
- The Windows and Android variants of this malware use a similar C2 communication pattern and send the stolen information to web servers mainly located in South Korea.
- Android variants request for various permissions on infected devices, and after gaining it, collects sensitive data, such as text messages, call logs, contacts, device info, and audio recordings.
- Attackers may have targeted victims using spear-phishing for Windows systems and smishing for Android, claim experts. The threat actor uses Windows executable and PowerShell versions for controlling systems.
Conclusion
North Korea-based threat actors are known to target South Korean entities for geopolitical interests. APT37 is yet another group presumed to be operating with the same goals for a long period of time. Experts suggest that leveraging sharing threat intelligence is key to staying protected from such attacks.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/5053_shutterstock_1096141913.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/37ce_shutterstock_639700315.jpg)
