While investigating an ongoing malware campaign, cybersecurity researchers have discovered new spyware with variants that work on both Android devices and Windows computers.
Called Chinotto, the malware was discovered by Kaspersky researchers, who believe it is being used by a state-sponsored threat actor known as ScarCraft to keep an eye on North Korean defectors, reporters covering North Korean-related news, and others.
"The actor used three types of malware with similar functionality: PowerShell-deployed versions, Windows executables, and Android applications... As a result, malware operators can control the entire family of malware through a set of attack scripts. command and control," the researchers note.
Investigations revealed that the perpetrator distributed the malware via a phishing attack, which he perpetrated after compromising the victim's knowledge through the use of social media or stolen email credentials.
Powerful spy
Investigations have revealed that while the current campaign started in March 2021, there were several older variants of the malware dating back to mid-2020.
After compromising a host, threat actors unleashed multiple strains of malware to take control of the host. Interestingly, in one case, they waited six months after committing a host before implementing Chinotto.
Based on their analysis of Chinotto, the researchers believe that this not only enables attackers to spy on their victims through screenshots, but may also give them the ability to control compromised devices, open a back door to exfiltrate data, and install additional malware.
Additionally, the investigation found that attackers were tampering with the malware's capabilities in what appears to be an attempt to thwart traditional signature-based detection.