IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Chinotto spyware spies on North Korean defectors and activists

Long term operation by ScarCruft hackers has been linked to the North Korean government

New spyware has been discovered by security researchers that snoops on North Korean defectors and journalists that cover news on the Korean peninsula.

Dubbed Chinotto, the spyware is linked to a gang of hackers called ScarCruft, a group is linked to the North Korean government. The hackers are also known as APT37 or Temp.Reaper.

"The actor utilized three types of malware with similar functionalities: versions implemented in PowerShell, Windows executables, and Android applications," said researchers at Kaspersky. 

"Although intended for different platforms, they share a similar command and control scheme based on HTTP communication. Therefore, the malware operators can control the whole malware family through one set of command-and-control scripts."

According to a blog post by Kaspersky, hackers contact an acquaintance of the victim using the victim’s stolen Facebook account and already knew that the potential target ran a business related to North Korea and asked about its current status. 

Following conversations on Facebook, a spear-phishing email is sent to the potential victim using a stolen email account. This email contains a password protected RAR archive with the password shown in the email body. The RAR file contains a malicious Word document that acts as a lure related to North Korea.

This word document when opened executes a macro and decrypts another payload embedded in the document. This Visual Basic Application (VBA) payload contains shellcode as a hex string. This script is responsible for injecting the shellcode into the process notepad.exe. The shellcode contains the URL to fetch the next stage payload. After fetching the payload, the shellcode decrypts it with trivial single-byte XOR decryption.

Researchers couldn’t gather the final payload when they investigated this sample. However, they did work out that one of the malware’s victims was breached on March 22, 2021, based on a file timestamp.

The Chinotto malware collected screenshots and exfiltrated them between August 6, 2021, and September 8, 2021. 

In addition to a Windows version, Chinotto also has an Android version that carries out similar tasks. Researchers said the Android malware requests excessive permissions according to the AndroidManifest.xml file

Related Resource

Protecting every edge to make hackers’ jobs harder, not yours

How to support and secure hybrid architectures

White square with whitepaper title on top of a background image of a building and pavementFree download

“To achieve its purpose of spying on the user, these apps ask users to enable various sorts of permissions. Granting these permissions allows the apps to collect sensitive information, including contacts, messages, call logs, device information, and audio recordings,” said researchers.

"Many journalists, defectors, and human rights activists are targets of sophisticated cyberattacks," they added. "Unlike corporations, these targets typically don't have sufficient tools to protect against and respond to highly skilled surveillance attacks."

Featured Resources

Join the 90% of enterprises accelerating to the cloud

Business transformation through digital modernisation

Free Download

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

Free download

Modernise the workforce experience

Actionable insights and an optimised experience for both IT and end users

Free Download

The digital workplace roadmap

A leader's guide to strategy and success

Free Download

Recommended

Bahrain targets activists with NSO's Pegasus spyware
spyware

Bahrain targets activists with NSO's Pegasus spyware

24 Aug 2021

Most Popular

Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Why India wants to become a chipmaking powerhouse
components

Why India wants to become a chipmaking powerhouse

28 Jun 2022