Chinotto spyware spies on North Korean defectors and activists
Long term operation by ScarCruft hackers has been linked to the North Korean government
New spyware has been discovered by security researchers that snoops on North Korean defectors and journalists that cover news on the Korean peninsula.
Dubbed Chinotto, the spyware is linked to a gang of hackers called ScarCruft, a group is linked to the North Korean government. The hackers are also known as APT37 or Temp.Reaper.
"The actor utilized three types of malware with similar functionalities: versions implemented in PowerShell, Windows executables, and Android applications," said researchers at Kaspersky.
"Although intended for different platforms, they share a similar command and control scheme based on HTTP communication. Therefore, the malware operators can control the whole malware family through one set of command-and-control scripts."
According to a blog post by Kaspersky, hackers contact an acquaintance of the victim using the victim’s stolen Facebook account and already knew that the potential target ran a business related to North Korea and asked about its current status.
Following conversations on Facebook, a spear-phishing email is sent to the potential victim using a stolen email account. This email contains a password protected RAR archive with the password shown in the email body. The RAR file contains a malicious Word document that acts as a lure related to North Korea.
This word document when opened executes a macro and decrypts another payload embedded in the document. This Visual Basic Application (VBA) payload contains shellcode as a hex string. This script is responsible for injecting the shellcode into the process notepad.exe. The shellcode contains the URL to fetch the next stage payload. After fetching the payload, the shellcode decrypts it with trivial single-byte XOR decryption.
Researchers couldn’t gather the final payload when they investigated this sample. However, they did work out that one of the malware’s victims was breached on March 22, 2021, based on a file timestamp.
The Chinotto malware collected screenshots and exfiltrated them between August 6, 2021, and September 8, 2021.
In addition to a Windows version, Chinotto also has an Android version that carries out similar tasks. Researchers said the Android malware requests excessive permissions according to the AndroidManifest.xml file
Protecting every edge to make hackers’ jobs harder, not yours
How to support and secure hybrid architecturesFree download
“To achieve its purpose of spying on the user, these apps ask users to enable various sorts of permissions. Granting these permissions allows the apps to collect sensitive information, including contacts, messages, call logs, device information, and audio recordings,” said researchers.
"Many journalists, defectors, and human rights activists are targets of sophisticated cyberattacks," they added. "Unlike corporations, these targets typically don't have sufficient tools to protect against and respond to highly skilled surveillance attacks."
How virtual desktop infrastructure enables digital transformation
Challenges and benefits of VDIFree download
The Okta digital trust index
Exploring the human edge of trustFree download
Optimising workload placement in your hybrid cloud
Deliver increased IT agility with the cloudFree Download
Modernise endpoint protection and leave your legacy challenges behind
The risk of keeping your legacy endpoint security toolsDownload now