People interested in all things North Korea are being targeted by very specific malware.
Trend Micro cybersecurity researchers (opens in new tab) (via BleepingComputer) recently observed Earth Kitsune, a nascent threat actor, breaking into a pro-North Korean website and then using that site to deliver a backdoor called WhiskerSpy.
The malware allows the threat actors to steal files, take screenshots and deploy additional malware on the compromised endpoint.
According to the researchers, when certain people visit the website and want to display video content, they are prompted to install a video codec first. Those who fall for the trick download a modified version of a legitimate codec (Codec-AVC1.msi), which installs the WhiskerSpy backdoor.
The backdoor provides the threat actors with a number of different capabilities, including downloading files to the compromised endpoint, uploading files, deleting them, creating lists, taking screenshots, loading executables, and calling the export of it, and injecting shellcode into processes.
The backdoor then communicates with the malware’s command and control (C2) server, using a 16-byte AES encryption key.
But not all visitors are at risk. In fact, only a small fraction of visitors are likely to be targeted, as Trend Micro found that the backdoor is only triggered when visitors from Shenyang, China or Nagoya, Japan access the site.
The truth is that people from Brazil would also be asked to download the backdoor, but researchers believe that Brazil was only used to test whether the attack works or not.
After all, the researchers discovered that the IP addresses in Brazil belonged to a commercial VPN service.
Once installed, the malware does everything it can to persist on the device. Apparently, Earth Kitsune uses the native messaging host in Google’s Chrome browser to install a malicious extension called Google Chrome Helper. This extension executes the payload every time the browser is launched.