North Korean Hackers Use New ‘Chinotto’ Malware to Target Windows, Android Devices

Kaspersky has analyzed a new espionage campaign conducted by the threat actor named ScarCruft, and the security firm’s researchers have uncovered a previously unknown malware that has been used to target Windows and Android devices.

Active since at least 2012 and also referred to as APT37, Group123, and Temp.Reaper, ScarCruft is likely backed by the North Korean government and is known for the targeting of defectors, journalists, and government organizations, among others.

The recently observed campaign falls within the same pattern, having a news organization that covers North Korea as its target. Following infection with PowerShell malware, the adversary spied on the victim for months, and even attempted to spear-phish victims’ associates.

Kaspersky’s investigation into the attack uncovered the use of three malware types, all three having the same command and control (C&C) scheme and using HTTP for communication. The new malware has been named Chinotto and researchers have identified PowerShell, Windows and Android versions of the threat.

Additional victims were identified in South Korea, as well as compromised web servers (mostly located in South Korea) that ScarCruft has been abusing for this campaign since early 2021. Older variants of the malware had been delivered to victims since mid-2020, the researchers say.

The security firm discovered that the adversary used stolen Facebook credentials to contact a victim’s acquaintance, after which a phishing email was sent from a stolen account to the potential victim. A password-protected RAR archive containing a malicious Word document was attached to the message. Malicious macros in the document were designed to run shellcode and fetch the next stage payload.

The computer of the person who sent the phishing email was found to be infected with a PowerShell script functioning as a backdoor. The compromise likely happened in March 2021, and the adversary apparently exfiltrated files from it in August 2021, after the Chinotto malware was deployed.

Chinotto provides attackers with control over the compromised machines, as well as with data exfiltration capabilities. It can download and upload files, remove files, archive directories and exfiltrate them, take screenshots, and run Windows commands, among others.

The Android version of Chinotto asks for various permissions that allow it to collect sensitive information such as contacts, messages, call logs, device data, and audio recordings. The malware is likely being deployed via smishing (SMS phishing) attacks.

The researchers were able to identify four different suspected victims, all located in South Korea and all using Windows machines, showing that ScarCruft focused on individuals rather than companies in this campaign.

“The target of this attack is within the same scope as previous ScarCruft group campaigns. Based on the victimology and several code overlaps, we assess with medium confidence that this cyber-espionage operation is related to the ScarCruft group,” Kaspersky notes.

Related: North Korea-Linked ‘ScarCruft’ Adds Bluetooth Harvester to Toolkit

Related: North Korean Hacker Group Intensifies Espionage Campaigns

Related: North Korean Hackers Targeting IT Supply Chain: Kaspersky