SELL FASTER BUY SMARTER SEARCH SHOP ADVERTS


SCROll DOWN TO SEE FORM TO POST ..SCROll DOWN TO SEE FORM TO POST
++MAP OR ENTER BELOW

THN

North Korean Cyber Espionage Group Deploys WhiskerSpy Backdoor in Latest Attacks

Cyber Espionage

The cyber espionage threat actor tracked as Earth
Kitsune has been observed deploying a new backdoor called
WhiskerSpy as part of a social engineering campaign.

Earth Kitsune, active since at least 2019, is known[1]
to primarily target individuals interested in North Korea with
self-developed malware such as dneSpy and agfSpy. Previously
documented intrusions have entailed the use of watering holes that
leverage browser exploits in Google Chrome and Internet Explorer to
activate the infection chain.

The differentiating factor in the latest attacks is a shift to
social engineering to trick users into visiting compromised
websites related to North Korea, according to a new report from
Trend Micro released last week.

The cybersecurity company said the website of an unnamed
pro-North Korean organization was hacked and modified to distribute
the WhiskerSpy implant. The compromise was discovered at the end of
last year.

“When a targeted visitor tries to watch videos on the website, a
malicious script injected by the attacker displays a message prompt
notifying the victims with a video codec error to entice them to
download and install a trojanized codec installer,” researchers
Joseph C Chen and Jaromir Horejsi said[2].

The booby-trapped script is said to have been injected into the
website’s video pages, with the installer (“Codec-AVC1.msi”)
subsequently employed to load WhiskerSpy.

But the attack also exhibits some clever tricks in an attempt to
sidestep detection. This involves delivering the malicious script
only to those visitors whose IP addresses match specific criteria

  • An IP address subnet located in Shenyang, China
  • A specific IP address located in Nagoya, Japan, and
  • An IP address subnet located in Brazil

Trend Micro noted that the targeted IP addresses in Brazil
belong to a commercial VPN service and that the threat actor may
have “used this VPN service to test the deployment of their
watering hole attacks.”

Persistence is achieved by either abusing[3]
a Dynamic Library Link (DLL) hijacking vulnerability in OneDrive or
via a malicious Google Chrome extension that employs native messaging APIs[4]
to execute the payload every time the web browser is launched.

Cyber Espionage

The WhiskerSpy backdoor, like other malware of its kind, comes
with capabilities to delete, enumerate, download and upload files,
take screenshots, inject shellcode, load arbitrary executables.

“Earth Kitsune are proficient with their technical abilities and
are continuously evolving their tools, tactics, and procedures,”
the researchers said.

Earth Yako Strikes Academic and Research Sectors in Japan

Earth Kitsune is not the only threat actor to go after Japanese
targets, for the cybersecurity company also detailed another
intrusion set codenamed Earth Yako striking
research organizations and think tanks in the country.

The activity, observed as recently as January 2023, is a
continuation of a previously known campaign referred to as Operation RestyLink[5]. A subset of the attacks
also targeted entities located in Taiwan.

“The intrusion set introduced new tools and malware within a
short period of time, frequently changing and expanding its attack
targets,” Trend Micro said[6], pointing out Earth
Yako’s modus operandi of “actively changing their targets and
methods.”

The starting point is a spear-phishing email that masquerades as
invitations to public events. The messages contain a malicious URL
that points to a payload, which, in turn, is responsible for
downloading the malware onto the system.

The attacks are also characterized by a trove of custom tools
comprising droppers (PULink), loaders (Dulload, MirrorKey), stagers
(ShellBox), and backdoors (PlugBox, TransBox).

PlugBox, ShellBox, and TransBox, as the names imply, take
advantage of Dropbox APIs to retrieve next-stage malware from a
remote server hard-coded in a GitHub repository, receive commands,
and harvest and exfiltrate data.

The exact origins of Earth Yako remain unknown, but Trend Micro
said it identified partial technical overlaps between the group and
other threat actors like Darkhotel, APT10 (aka Stone Panda), and
APT29 (aka Cozy Bear or Nobelium).

“One of the characteristics of the recent targeted attacks is
that they shifted to targeting the individuals considered to have
relatively weak security measures compared to companies and other
organizations,” the company said.

“This shift to targeting individuals over enterprises is
highlighted by the targeting and abuse of Dropbox as it is
considered a popular service in the region among users for personal
use, but not for organizations.”

Found this article interesting? Follow us on Twitter [7]
and LinkedIn[8]
to read more exclusive content we post.

References

  1. ^
    known
    (thehackernews.com)
  2. ^
    said
    (www.trendmicro.com)
  3. ^
    abusing
    (www.bitdefender.com)
  4. ^
    native
    messaging APIs     (developer.chrome.com)
  5. ^
    Operation RestyLink
    (insight-jp.nttsecurity.com)
  6. ^
    said
    (www.trendmicro.com)
  7. ^
    Twitter
     (twitter.com)
  8. ^
    LinkedIn
    (www.linkedin.com)

Read more

.An African People Search Engine Business directory and Entertainment Portal . Powered by The Swordpress Blog and the folks @ ojoojoo.com and Dotifi Web hosting

Submit A Place
Help Us Review This SwordPress !

RSS Latest News

Post Views: 668
[activity-stream]
THE HITCH hikers guide to Nigeria JobScout | Developed By Rara Theme. Powered by WordPress.
Get Mobile App Get Mobile App
Get Mobile App

Add a new location

Edit Location

Add up to 5 images to create a gallery for this location.

×