New WhiskerSpy malware delivered through trojanized codec installer

Safety researchers have found a brand new backdoor referred to as WhiskerSpy used in a marketing campaign from a comparatively new superior menace actor tracked as Earth Kitsune, identified for concentrating on people displaying an curiosity in North Korea.

The actor used a tried and examined methodology and picked victims from guests to a professional North Korea web site, a tactic often called a watering gap assault.

The brand new operation was found on the finish of final yr by researchers at cybersecurity firm Pattern Micro, who’ve been monitoring Earth Kitsune exercise since 2019.

Watering gap assault

In response to Pattern Micro, WhiskerSpy was delivered when guests tried to observe movies on the web site. The attacker compromised the web site and injected a malicious script that requested the sufferer to put in a video codec for the media to run.

To keep away from suspicions, the menace actor modified a reliable codec installer in order that it finally loaded “a beforehand unseen backdoor” on the sufferer’s system.

The researchers say that the menace actor focused solely guests to the web site with IP addresses from Shenyang, China; Nagoya, Japan; and Brazil.

It’s seemingly that Brazil was used just for testing the watering gap assault utilizing a VPN connection and the actual targets had been guests from the 2 cities in China and Japan. Related victims could be served the pretend error message beneath that prompts them to put in a codec to observe the video.

In actuality, the codec is an MSI executable that installs on the sufferer’s pc shellcode that triggers a sequence PowerShell instructions that result in deploying the WhiskerSpy backdoor.

The researchers note that one persistence method that Earth Kitsune used on this marketing campaign abuses the native messaging host in Google Chrome and installs a malicious Google Chrome extension referred to as Google Chrome Helper.

The position of the extension is to permit execution of the payload each time the browser begins.

The opposite methodology to realize persistence is by leveraging OneDrive side-loading vulnerabilities that enable dropping a malicious file (pretend “vcruntime140.dll”) within the OneDrive listing.

WhiskerSpy particulars

WhiskerSpy is the principle payload used within the newest ‘Earth Kitsune’ marketing campaign, giving distant operators the next capabilities:

• interactive shell
• obtain file
• add file
• delete file
• listing recordsdata
• take screenshot
• load executable and name its export
• inject shellcode right into a course of

The backdoor communicates with the command and management (C2) server utilizing a 16-byte AES key for encryption.

WhiskerSpy periodically connects to the C2 for updates about its standing and the server might reply with directions for the malware, similar to execute shell instructions, inject code to a different course of, exfiltrate particular recordsdata, take screenshots.

Pattern Micro has found an earlier model of WhiskerSpy that use the FTP protocol as an alternative of HTTP for C2 communication. This older variant additionally checks for the presence of a debugger upon execution and informs the C2 with the suitable standing code.

To notice, the researchers’ confidence in attributing this watering gap assault to Earth Kitsune is medium however the modus operandi and the targets are just like actions previously associated to the group.