Cyberespionage threat actors are tracked by: earth fox It has been observed deploying a new backdoor called . whisker spy As part of a social engineering campaign.
Earth Kitsune has been active since at least 2019 and is known to primarily target individuals with an interest in North Korea using homegrown malware such as dneSpy and agfSpy. Previously documented intrusions have involved the use of watering holes leveraging Google Chrome and Internet Explorer browser exploits to activate the infection chain.
According to a new Trend Micro report released last week, a differentiator in the latest attacks is the shift to social engineering to lure users to compromised websites related to North Korea.
A cybersecurity firm said the website of an unnamed pro-North Korean organization was hacked and defaced to distribute a whisker spy implant. The breach was discovered late last year.
“When a targeted visitor attempts to watch a video on the website, a malicious script inserted by the attacker displays a message prompt informing the victim of a video codec error and is trojanized. It directs them to download and install the codec installer,” said researchers Joseph C Chen and Jaromir Horegi.
The booby trap script was allegedly injected into the website’s video page and used an installer (“Codec-AVC1.msi”) to load WhiskerSpy.
However, this attack also demonstrates a subtle tactic to try to evade detection. This includes delivering malicious scripts only to visitors whose IP addresses match certain criteria.
- IP address subnet in Shenyang, China
- A specific IP address in Nagoya, Japan
- IP address subnet located in Brazil
Trend Micro noted that the IP addresses targeted in Brazil belonged to a commercial VPN service, which the attackers may have “used to test watering hole attack deployments.”
Persistence can be exploited either by exploiting a dynamic library link (DLL) hijack vulnerability in OneDrive or by using a malicious Google Chrome extension that uses native messaging APIs to execute a payload every time the web browser is launched. is achieved through
The whisker spy backdoor, like other malware of its kind, has the ability to delete, enumerate, download and upload files, take screenshots, inject shellcode, and load arbitrary executable files.
“Earth foxes are adept at technical proficiency and continually evolve their tools, tactics, and procedures,” said the researchers.
Earth Yako Attacks Japanese Academic and Research Sectors
Earth Kitsune is not the only threat actor targeting Japanese targets. your earth It attacks domestic research institutes and think tanks.
This activity, observed in January 2023, is a continuation of a known campaign called Operation RestyLink. A subset of attacks also targeted entities located in Taiwan.
“Intrusion sets introduced new tools and malware in a short period of time, and frequently changed and expanded their attack surface,” Trend Micro said, pointing to Earth Yako’s method of “proactively changing targets and methods.” Did.
The starting point is a spear-phishing email masquerading as an invitation to a public event. The message contains a malicious URL pointing to a payload, which downloads malware onto the system.
The attack is also characterized by a suite of custom tools consisting of droppers (PULink), loaders (Dulload, MirrorKey), stagers (ShellBox), and backdoors (PlugBox, TransBox).
PlugBox, ShellBox, and TransBox, as their names suggest, leverage the Dropbox API to fetch next-stage malware from remote servers hardcoded in GitHub repositories, receive commands, and extract data. collect and extract the
While the exact origins of Earth Yako remain unknown, Trend Micro has linked this group with other threat actors, including Darkhotel, APT10 (aka Stone Panda), and APT29 (aka Cozy Bear or Nobelium). It states that it has identified technical overlap.
According to the company, “One of the characteristics of recent targeted attacks is that they have shifted to targeting individuals, who are considered to have weaker security measures than companies.
“This shift in targeting individuals rather than businesses is underscored by the targeting and abuse of Dropbox, as it is seen as a popular service among users for personal use in the region. because it’s not used by the organization.”
