A cyberattack campaign has been found targeting individuals—in China and Japan—who are showing particular interest in North Korea. Attackers were also seen distributing a novel backdoor via the watering hole attack technique. Based on modus operandi, the infrastructure used, and victimology, the campaign has been attributed to the Earth Kitsune threat group.
What has been discovered?
According to Trend Micro, the attackers compromised the website of a pro-North Korean organization and modified it to distribute malware called WhiskerSpy.
- When a user visited the website and tried to play the video, it would display an error and ask them to install a video codec to run the media.
- The trojanized codec installer comprised a genuine video codec, along with the previously unseen backdoor WhiskerSpy.
- The WhiskerSpy backdoor, as the main payload, allow its operator to remotely perform several actions on the infected machine.
Further, to ensure persistence, attackers abused Google Chrome’s native messaging host and installed a malicious extension called Google Chrome Helper on the victim’s machine.
Attackers picking targets
- The malicious website was configured to target only visitors with an IP address matching specific IP address ranges.
- The website was configured to target an IP address subnet located in Shenyang (China), Nagoya (Japan), and a subnet located in Brazil.
- The Brazilian IP address subnet belonged to a commercial VPN service in Brazil, suspected to be used only for testing their watering hole attacks.
About WhiskerSpy
- WhiskerSpy allows uploading, downloading, scanning, and deleting files, capturing screenshots, activating an interactive shell, and injecting a shellcode into a running process.
- It periodically interacts with the C2 sever via a 16-byte AES key for encryption, where it is updated about its status and receives instructions on further activities.
There’s an older version of malware
In addition, researchers also discovered an older variant of this malware, capable of testing the presence of a debugger on the target machine. It used FTP protocol instead of HTTP. It means that in order to allow communication, the FTP username and password must be hardcoded in the program.
Concluding notes
With not much information available, the real agenda of Earth Kitsune isn’t clear, but it is surely capable enough to devise custom tools for itself including the WhiskerSpy backdoor. To stay protected against such proficient and targeted threats, organizations are recommended to implement multilayered security across endpoints, servers, networks, and emails, and leverage a premium threat intel platform for a real-time nudge on threats.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/07bd_shutterstock_2096551726.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/71fb_shutterstock_1062401807_GoDaddy.jpg)
