Operation Earth Kitsune’s Preeminent Evolution—dneSpy and agfSpy

Trend Micro researchers recently uncovered a watering hole campaign, dubbed Operation Earth Kitsune, aiming to steal information by compromising websites.

About the campaign

The campaign employs two backdoors agfSpy and dneSpy, along with the SLUB (Slack and GitHub-based) malware, to give the campaign infrastructure versatility and resiliency in its behavior.
  • The backdoors agfSpy and dneSpy were employed in the campaign for exfiltrating data and seizing control of affected systems.
  • The campaign has been using custom coded elements, such as Chrome exploit shellcode, and a variety of components with dynamically pivoting capabilities.
  • Researchers have earlier published a research paper on Operation Earth Kitsune detailing the heavy use of SLUB malware, along with fully functional espionage backdoors - agfSpy and dneSpy, including the relationship between these and their C&C servers.

Shifting to Mattermost

  • Analysts reported multiple instances of Operation Earth Kitsune attacks in March, May, and September, delivering a new variant of the SLUB malware incorporating new techniques and capabilities. 
  • While the malware was seen using Slack and GitHub platforms for communication purposes in 2019, in recent attacks, it was found using Mattermost, an open-source version replacement for Slack.

Conclusion

The implementation of various techniques, such as security software checks during malware deployment, has made cybercriminals behind the Earth Kitsune campaign more capable and highly active. Experts recommend the use of a multilayered security approach to detect and block such complex threats from infiltrating the system.