![]() The researchers urge individuals and organizations to be vigilant and take appropriate measures to secure their systems against such attacks. The malware uses persistence techniques to ensure it remains active on the victim’s system and periodically connects to a C2 server for updates and instructions.Īlthough the researchers are moderately confident in attributing this attack to Earth Kitsune, the targets and modus operandi are similar to activities previously associated with the group. They used a modified legitimate codec installer to deliver WhiskerSpy, a backdoor malware that provides the attacker with remote access to the victim’s system. ![]() Overall, the attacker used a tried and tested method of a watering hole attack to target individuals with an interest in North Korea. The backdoor gives remote operators access to the victim’s system, including the ability to execute shell commands, upload or download files, take screenshots, and inject shellcode into a process. ![]() The C2 server provides updates and instructions to the malware, such as executing shell commands, injecting code into another process, exfiltrating specific files, or taking screenshots.Once installed, WhiskerSpy periodically connects to a command and control (C2) server using a 16-byte AES key for encryption.It leverages OneDrive side-loading vulnerabilities to drop a malicious file called “ vcruntime140.dll” in the OneDrive directory.This extension allows the payload to execute every time the browser starts. It abuses the native messaging host in Google Chrome and installs a malicious Google Chrome extension called Google Chrome Helper.The malware uses two persistence techniques to ensure it remains active on the victim’s system:.When the victim tries to install the codec, the malware is executed and installs itself on the victim’s system as a shellcode.The attacker modifies a legitimate codec installer to load the backdoor malware onto the victim’s system.The attacker injects a malicious script into the website that asks visitors to install a video codec to watch videos on the site.The threat actor identifies a pro-North Korea website and compromises it.Here’s a step-by-step breakdown of how the malware works: WhiskerSpy is a backdoor malware that was delivered through a watering hole attack, which involves targeting individuals who visit a specific website. It is believed that Brazil was used only for testing the watering hole attack using a VPN connection, and the real targets were visitors from the two cities in China and Japan. The researchers found that the threat actor targeted visitors to the website from Shenyang, China, Nagoya, Japan, and Brazil. The campaign was carried out by Earth Kitsune, a relatively new advanced threat actor that has been known for targeting individuals with an interest in North Korea. The malware was used in a watering hole attack ( ), which involves targeting individuals who visit a specific website, in this case, a pro-North Korea site. A new backdoor malware named WhiskerSpy has been identified by cybersecurity researchers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |