Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

North Korean Hackers Use New ‘Chinotto’ Malware to Target Windows, Android Devices

Kaspersky has analyzed a new espionage campaign conducted by the threat actor named ScarCruft, and the security firm’s researchers have uncovered a previously unknown malware that has been used to target Windows and Android devices.

Kaspersky has analyzed a new espionage campaign conducted by the threat actor named ScarCruft, and the security firm’s researchers have uncovered a previously unknown malware that has been used to target Windows and Android devices.

Active since at least 2012 and also referred to as APT37, Group123, and Temp.Reaper, ScarCruft is likely backed by the North Korean government and is known for the targeting of defectors, journalists, and government organizations, among others.

The recently observed campaign falls within the same pattern, having a news organization that covers North Korea as its target. Following infection with PowerShell malware, the adversary spied on the victim for months, and even attempted to spear-phish victims’ associates.

Kaspersky’s investigation into the attack uncovered the use of three malware types, all three having the same command and control (C&C) scheme and using HTTP for communication. The new malware has been named Chinotto and researchers have identified PowerShell, Windows and Android versions of the threat.

Additional victims were identified in South Korea, as well as compromised web servers (mostly located in South Korea) that ScarCruft has been abusing for this campaign since early 2021. Older variants of the malware had been delivered to victims since mid-2020, the researchers say.

The security firm discovered that the adversary used stolen Facebook credentials to contact a victim’s acquaintance, after which a phishing email was sent from a stolen account to the potential victim. A password-protected RAR archive containing a malicious Word document was attached to the message. Malicious macros in the document were designed to run shellcode and fetch the next stage payload.

The computer of the person who sent the phishing email was found to be infected with a PowerShell script functioning as a backdoor. The compromise likely happened in March 2021, and the adversary apparently exfiltrated files from it in August 2021, after the Chinotto malware was deployed.

Chinotto provides attackers with control over the compromised machines, as well as with data exfiltration capabilities. It can download and upload files, remove files, archive directories and exfiltrate them, take screenshots, and run Windows commands, among others.

Advertisement. Scroll to continue reading.

The Android version of Chinotto asks for various permissions that allow it to collect sensitive information such as contacts, messages, call logs, device data, and audio recordings. The malware is likely being deployed via smishing (SMS phishing) attacks.

The researchers were able to identify four different suspected victims, all located in South Korea and all using Windows machines, showing that ScarCruft focused on individuals rather than companies in this campaign.

“The target of this attack is within the same scope as previous ScarCruft group campaigns. Based on the victimology and several code overlaps, we assess with medium confidence that this cyber-espionage operation is related to the ScarCruft group,” Kaspersky notes.

Related: North Korea-Linked ‘ScarCruft’ Adds Bluetooth Harvester to Toolkit

Related: North Korean Hacker Group Intensifies Espionage Campaigns

Related: North Korean Hackers Targeting IT Supply Chain: Kaspersky

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cyberwarfare

Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.