North Korea

North Korean state-sponsored hackers known as APT37 have been discovered targeting journalists specializing in the DPRK with a novel malware strain.

The malware is distributed through a phishing attack first discovered by NK News, an American news site dedicated to covering news and providing research and analysis about North Korea, using intelligence from within the country.

The APT37 hacking group, aka Ricochet Chollima, is believed to be sponsored by the North Korean government, which sees news reporting as a hostile operation, and attempted to use this attack to access highly-sensitive information and potentially identify journalists’ sources.

After NK News discovered the attack, they contacted the malware experts at Stairwell for further assistance, who took over the technical analysis.

Stairwell found a new malware sample named “Goldbackdoor,” which was assessed as a successor of “Bluelight.”

It is worth noting that this isn’t the first time APT37 has been linked to malware campaigns targeting journalists, with the most recent being a November 2021 report employing the highly-customizable “Chinotto” backdoor.

Sophisticated infection

The phishing emails originated from the account of the former director of South Korea’s National Intelligence Service (NIS), who APT37 previously compromised.

The highly-targeted campaign employed a two-stage infection process that gave the threat actors more deployment versatility and made it hard for analysts to sample payloads.

Two-stage infection process
Two-stage infection process (Stairwell)

The emails sent to the journalists contained a link to download ZIP archives that had LNK files, both named ‘Kang Min-chol edits’. Kang Min-chol is North Korea’s Minister of Mining Industries.

The LNK file (Windows shortcut) is masqueraded with a document icon and uses padding to artificially increase its size to 282.7 MB, hindering easy uploads to Virus Total and other online detection tools.

Upon execution, a PowerShell script launches and opens a decoy document (doc) for distraction while decoding a second script in the background.

First PowerShell script used in the attack
First PowerShell script used in the attack (Stairwell)

The decoy document contained an embedded external image hosted on the Heroku platform, which alerts the threat actors when the document is viewed.

Embedded tracker link in the document
Embedded tracker link in the document (Stairwell)

The second script downloads and executes a shellcode payload stored on Microsoft OneDrive, a legitimate cloud-based file hosting service that is unlikely to generate AV alerts.

This payload is called “Fantasy,” and according to Stairwell, it’s the first of the two deploying mechanisms of Goldbackdoor, both relying on stealthy process injection.

Goldbackdoor malware

Goldbackdoor is executed as a PE file (portable executable) and can accept basic commands remotely and exfiltrate data.

For this, it comes with a set of API keys that it uses to authenticate to Azure and retrieve commands for execution. These commands are related to keylogging, file operations, basic RCE, and the ability to uninstall itself.

The malware utilizes legitimate cloud services for the exfiltration of files, with Stairwell noticing the abuse of both Google Drive and Microsoft OneDrive.

The files targeted by Goldbackdoor are mainly documents and media, like PDF, DOCX, MP3, TXT, M4A, JPC, XLS, PPT, BIN, 3GP, and MSG.

While this was a highly targeted campaign, the discovery, exposure, and resulting detection rules and file hashes available in Stairwell’s technical report are still significant for the infosec community.

Source: www.bleepingcomputer.com