North Korean defectors, human rights activists, journalists who cover North Korea-related news, and entities in South Korea have been targeted in a new cyber-espionage campaign attributed by Kaspersky researchers to a nation-state sponsored APT group working on behalf of the North Korean government.
Known as ScarCruft, APT37, Reaper Group, InkySquid, and Ricochet Chollima, the group has been active since at least 2012 and is focused on targets of interest to the North Korean regime, including journalists, diplomats, and government employees.
As Kaspersky researchers discovered while investigating APT37’s most recent campaign, the threat actor deployed malware dubbed ‘Chinotto’, which allowed them to control compromised devices, spy on their users via screenshots, deploy additional malware, collect data, and upload it to attackers' servers.
"The actor utilized three types of malware with similar functionalities: versions implemented in PowerShell, Windows executables and Android applications," Kaspersky said in a new report. "Although intended for different platforms, they share a similar command and control scheme based on HTTP communication. Therefore, the malware operators can control the whole malware family through one set of command and control scripts."
APT37’s primary initial infection method is spear-phishing, which involves emails with malicious attachments. In this case, threat actor contacted victim’s associates and acquaintances on Facebook using stolen Facebook account credentials and then sent a spear-phishing email to a potential target containing a password-protected RAR archive with a malicious Word document claiming to be about “North Korea's latest situation and our national security.”
Once the document is opened, a malicious macro is executed along with a payload for a multi-stage infection process. The payload, a Visual Basic Application (VBA), contains a shellcode that retrieves from a remote server the final-stage payload with backdoor capabilities.
"We suspect this host was compromised on March 22, 2021. [..] The malware operator later delivered the Chinotto malware in August 2021 and probably started to exfiltrate sensitive data from the victim," Kaspersky said.
"Based on what we found from this victim, we can confirm that the malware operator collected screenshots and exfiltrated them between August 6, 2021 and September 8, 2021."
According to Kaspersky, Chinotto comes in two variants - for Windows and for Android. An Android version of Chinotto malware comes in the form of a malicious APK, which requests excessive permissions on users’ devices. Granting these permissions allows the app to collect sensitive information, including contacts, messages, call logs, device information and audio recordings.
“To sum up, the actor targeted victims with a probable spear-phishing attack for Windows systems and smishing for Android systems. The actor leverages Windows executable versions and PowerShell versions to control Windows systems. We may presume that if a victim’s host and mobile are infected at the same time, the malware operator is able to overcome two-factor authentication by stealing SMS messages from the mobile phone,” Kaspersky said.
“After a backdoor operation with a fully featured backdoor, the operator is able to steal any information they are interested in. Using the stolen information, the actor further leverages their attacks. For example, the group attempts to infect additional valuable hosts and contact potential victims using stolen social media accounts or email accounts.”