![]() ![]()
This document contained a malicious macro that kicked off a multi-stage infection process. #NORTH KOREA AUDIO SPY ARCHIVE#RAR archive with the password shown in the email body the RAR file in turn contained a malicious Word document entitled, “North Korea’s latest situation and our national security.” The spear-phishing email contained a password-protected. “The actor leveraged their attacks using stolen login credentials, such as Facebook and personal email accounts, and thereby showed a high level of sophistication.” “After a conversation on social media, the actor sent a spear-phishing email to the potential victim using a stolen email account,” researchers said. The attack had started on social media when a ScarCruft representative contacted an acquaintance of the victim using the victim’s stolen Facebook account. Kaspersky discovered the malware while conducting a forensic investigation on one victim that runs a business related to North Korea. “Each sample has a different package name, with the analyzed sample bearing ‘’ as a package name,” researchers explained.Ĭhinotto enables the operator to steal any information across desktop and mobile, which can then be used in follow-on attacks, researchers noted: “For example, the group attempts to infect additional valuable hosts and contact potential victims using stolen social-media accounts or email accounts.” Spear-Phishing Spycraft This includes SMS messages, messaging app messages, contact lists, stored account information, call logs, device information and audio recordings of phone calls. #NORTH KOREA AUDIO SPY APK#It comes in the form of a malicious APK that requests excessive permissions, which allows the app to collect sensitive information. #NORTH KOREA AUDIO SPY ANDROID#“Based on the build timestamp of the malware, we assess that the malware author used the PowerShell embedded version from mid-2019 to mid-2020 and started to use the malicious, PowerShell-less Windows executable from the end of 2020 onward.”Īnd finally, there’s also an Android application version of Chinotto, Kaspersky found. “It contains additional backdoor commands, such as uploading and downloading capabilities,” researchers explained. Meanwhile, a different Chinotto variant contains an embedded PowerShell script, according to the analysis. ![]() The commands include beaconing, executing Windows commands, downloading and uploading specific files, uploading log files, archiving and uploading whole directories, collecting and uploading all files with specific extensions, taking screenshots, and updating the malware. When it comes to the Windows executable, the backdoor continuously queries its command-and-control (C2) server, awaiting commands from the malware operator. We may presume that if a victim’s host and mobile are infected at the same time, the malware operator is able to overcome two-factor authentication by stealing SMS messages from the mobile phone.” ![]() “The actor leverages Windows executable versions and PowerShell versions to control Windows systems. #NORTH KOREA AUDIO SPY FOR ANDROID#“The actor targeted victims with a probable spear-phishing attack for Windows systems and smishing for Android systems,” according to Kaspersky. And as far as the actual spyware functionality goes, it “shows fully fledged capabilities to control and exfiltrate sensitive information from the victims,” according to Kaspersky, across three types of variants: a Windows executable, a PowerShell version and an Android application. #NORTH KOREA AUDIO SPY CODE#Inside the Chinotto BackdoorĬhinotto has various tricks up its sleeve, researchers said, including detection evasion (i.e., employing garbage code to impede analysis) and establishing persistence via the registry key. ![]() ScarCruft specifically controls the malware using a PHP script on a compromised web server, directing the binaries based on HTTP parameters. Therefore, the malware operators can control the whole malware family through one set of command-and-control scripts.” “Although intended for different platforms, they share a similar command-and-control scheme based on HTTP communication. “The actor utilized three types of malware with similar functionalities: Versions implemented in PowerShell, Windows executables and Android applications,” researchers noted in a Monday blog posting. Since 2019, ScarCruft (aka APT37 or Temp.Reaper) has been using spyware dubbed Chinotto to target victims for espionage purposes, according to an analysis from Kaspersky, although the code only recently came to the attention of researchers.Ĭhinotto is triple-pronged, with the ultimate double-pronged goal of surveilling victims across mobile and desktop. The North Korea-linked ScarCruft advanced persistent threat (APT) group has developed a fresh, multiplatform malware family for attacking North Korean defectors, journalists and government organizations involved in Korean Peninsula affairs. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |