People who are interested in anything related to North Korea are targeted by very specific malware.
Cybersecurity scholars at Trend Micro (opens in a new tab) (via BleepingComputer) recently observed Earth Kitsune, a nascent threat actor, breaching a pro-North Korea site and then using it as a backdoor called WhiskerSpy.
The malware allows threat actors to steal files, take screenshots, and embed helper malware on the compromised device.
Malware WhisperSpy
According to scholars, when certain people visit the site and attempt to play video content, they will first be prompted to install a video codec. Those who fall for the trick would download a modified version of a legitimate codec (Codecs-AVC1.msi), which installs the WhiskerSpy backdoor.
The backdoor offers threat actors a number of different capabilities, including uploading files to the compromised endpoint, uploading files, removing them, counting them, taking screenshots, loading executables and calling their export, and injecting shellcode into files. processes.
The backdoor then communicates with the malware's command and control (C2) server via a sixteen-bit AES encryption key.
But not each and every visitor is in danger. In truth, it probably only targets a small portion of visitors, as Trend Micro found that the backdoor is only activated when visitors from Shenyang, China, or Nagoya, Japan open the site.
In fact, the Brazilians would also be invited to download the backdoor, but scholars think that Brazil was only used to test whether the attack worked or not.
After all, the scholars found that the IP addresses in Brazil belonged to a commercial VPN service.
Once installed, the malware does everything possible to persist on the device. Earth Kitsune allegedly uses the native mail host of Google's Google Chrome browser to install a malicious extension called Chrome Helper. This extension would execute the payload every time the browser is started.