It is also very unhappy with the announcement to place American THAAD ballistic missile interceptors in South Korea. The message obviously means something, but what? Pyongyang recently called for terrorist-style attacks against South Korean targets, including subways, shopping malls, and power plants. "Number stations" are also less than ideal because the mere act of transmitting tells the entire world that you're up to something. There are literally a billion places to hide a secret message in plain sight on the internet-everywhere from want ads on Craigslist to messages in ancient forums. That's why the reactivation of North Korea's system is so puzzling. North Korea ceased transmitting the messages in 2000. Spy agencies around the world have used numbers stations for decades, but the advent of the internet has generally made the system obsolete. The messages typically consist of a string of numbers or phrases, nonsensical to anyone but the intended recipient. North Korea has long used so-called numbers stations-shortwave radio stations that broadcast coded messages to communicate with agents abroad. For example, the group attempts to infect additional valuable hosts and contact potential victims using stolen social media accounts or email accounts.The string of phrases and numbers continued for another twelve minutes. Using the stolen information, the actor further leverages their attacks. “After a backdoor operation with a fully featured backdoor, the operator is able to steal any information they are interested in. We may presume that if a victim’s host and mobile are infected at the same time, the malware operator is able to overcome two-factor authentication by stealing SMS messages from the mobile phone,” Kaspersky said. The actor leverages Windows executable versions and PowerShell versions to control Windows systems. “To sum up, the actor targeted victims with a probable spear-phishing attack for Windows systems and smishing for Android systems. Granting these permissions allows the app to collect sensitive information, including contacts, messages, call logs, device information and audio recordings. An Android version of Chinotto malware comes in the form of a malicious APK, which requests excessive permissions on users’ devices. "Based on what we found from this victim, we can confirm that the malware operator collected screenshots and exfiltrated them between Augand September 8, 2021."Īccording to Kaspersky, Chinotto comes in two variants - for Windows and for Android. The malware operator later delivered the Chinotto malware in August 2021 and probably started to exfiltrate sensitive data from the victim," Kaspersky said. "We suspect this host was compromised on March 22, 2021. The payload, a Visual Basic Application (VBA), contains a shellcode that retrieves from a remote server the final-stage payload with backdoor capabilities. Once the document is opened, a malicious macro is executed along with a payload for a multi-stage infection process. In this case, threat actor contacted victim’s associates and acquaintances on Facebook using stolen Facebook account credentials and then sent a spear-phishing email to a potential target containing a password-protected RAR archive with a malicious Word document claiming to be about “North Korea's latest situation and our national security.” Therefore, the malware operators can control the whole malware family through one set of command and control scripts."ĪPT37’s primary initial infection method is spear-phishing, which involves emails with malicious attachments. "Although intended for different platforms, they share a similar command and control scheme based on HTTP communication. "The actor utilized three types of malware with similar functionalities: versions implemented in PowerShell, Windows executables and Android applications," Kaspersky said in a new report. Known as ScarCruft, APT37, Reaper Group, InkySquid, and Ricochet Chollima, the group has been active since at least 2012 and is focused on targets of interest to the North Korean regime, including journalists, diplomats, and government employees.Īs Kaspersky researchers discovered while investigating APT37’s most recent campaign, the threat actor deployed malware dubbed ‘Chinotto’, which allowed them to control compromised devices, spy on their users via screenshots, deploy additional malware, collect data, and upload it to attackers' servers. North Korean defectors, human rights activists, journalists who cover North Korea-related news, and entities in South Korea have been targeted in a new cyber-espionage campaign attributed by Kaspersky researchers to a nation-state sponsored APT group working on behalf of the North Korean government.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |