Kaspersky researchers discovered a malware called Chinotto that targets North Korean defectors and human rights activists. The malware operated by the Advanced Persistent Threat actor (APT) ScarCruft is implemented in PowerShell, Windows executables, and Android apps.
This malware is capable of controlling and extracting sensitive information from its targets. Next, the attacker attempts to gather information and attack the victim's connections using their compromised social networks and emails.
The ScarCruft Group is a state-sponsored APT actor known to largely oversee government organizations linked to the Korean Peninsula, North Korean defectors, and local journalists.
Kaspersky said it was recently contacted by a local news service for a request for technical assistance during their cybersecurity investigation. As a result, Kaspersky researchers had the opportunity to conduct deeper investigations into the computers compromised by ScarCruft.
Kaspersky experts work closely with local CERTs to investigate the attacker's command-and-control infrastructure. During the analysis, Kaspersky discovered the complex and targeted campaigns of these threat actors and focused on users connected to North Korea.
As a result of the investigation, Kaspersky experts discovered a malicious Windows executable dubbed Chinotto. This malware is available in three versions: PowerShell, Windows executable, and Android app.
All three versions share a similar command and control scheme based on HTTP communication. This means that malware operators can control the entire malware family through a single set of command and control scripts.
When simultaneously infecting a victim's computer and phone, malware operators can overcome two-factor authentication in messaging or email apps by stealing SMS messages from the phone. After that, operators can steal whatever information they want and continue attacks, for example, targeting acquaintances or business partners of the victim.
One of the characteristics of this malware is that it contains a lot of junk or irregular code that is meant to hinder analysis. In particular, malware that fills buffers with meaningless data is never used.
Subsequently, the investigated computer was infected with the PowerShell malware, and Kaspersky researchers found evidence that the attacker had stolen data and tracked the victim's actions for months. While Kaspersky experts cannot estimate exactly how much and what data was stolen, they do know that malware operators collected screenshots and extracted them between July and August 2021.
During the analysis, Kaspersky experts also identified four other victims, all located in South Korea, and a compromised web server that had been in use since early 2021. According to the study, the target of the threat was an individual, not a specific company or organization.
"Many journalists, defectors and human rights activists are targeted by sophisticated cyberattacks. However, they generally lack the tools to defend and respond to such surveillance attacks. This research demonstrates the importance of security experts sharing the latest cyber knowledge and investing in solutions that can combat In addition, Kaspersky's collaboration with local CERTs has given us a unique perspective on the ScarCruft infrastructure and its technical characteristics, which I hope will enhance our security in fending off their attacks," commented Seongsu Park, senior security researcher at the Global Research Analysis Team (GReAT). ), Kaspersky.
