The cyber espionage threat actor tracked as Earth Kitsune has been observed deploying a new backdoor called WhiskerSpy as part of a social engineering campaign.
Earth Kitsune, active since at least 2019, is known to primarily target individuals interested in North Korea with self-developed malware such as dneSpy and agfSpy. Previously documented intrusions have entailed the use of watering holes that leverage browser exploits in Google Chrome and Internet Explorer to activate the infection chain.
The differentiating factor in the latest attacks is a shift to social engineering to trick users into visiting compromised websites related to North Korea, according to a new report from Trend Micro released last week.
The cybersecurity company said the website of an unnamed pro-North Korean organization was hacked and modified to distribute the WhiskerSpy implant. The compromise was discovered at the end of last year.
“When a targeted visitor tries to watch videos on the website, a malicious script injected by the attacker displays a message prompt notifying the victims with a video codec error to entice them to download and install a trojanized codec installer,” researchers Joseph C Chen and Jaromir Horejsi said.
The booby-trapped script is said to have been injected into the website’s video pages, with the installer (“Codec-AVC1.msi”) subsequently employed to load WhiskerSpy.
But the attack also exhibits some clever tricks in an attempt to sidestep detection. This involves delivering the malicious script only to those visitors whose IP addresses match specific criteria –
- An IP address subnet located in Shenyang, China
- A specific IP address located in Nagoya, Japan, and
- An IP address subnet located in Brazil
Trend Micro noted that the targeted IP addresses in Brazil belong to a commercial VPN service and that the threat actor may have “used this VPN service to test the deployment of their watering hole attacks.”
Persistence is achieved by either abusing a Dynamic Library Link (DLL) hijacking vulnerability in OneDrive or via a malicious Google Chrome extension that employs native messaging APIs to execute the payload every time the web browser is launched.
The WhiskerSpy backdoor, like other malware of its kind, comes with capabilities to delete, enumerate, download and upload files, take screenshots, inject shellcode, load arbitrary executables.
“Earth Kitsune are proficient with their technical abilities and are continuously evolving their tools, tactics, and procedures,” the researchers said.
Earth Yako Strikes Academic and Research Sectors in Japan
Earth Kitsune is not the only threat actor to go after Japanese targets, for the cybersecurity company also detailed another intrusion set codenamed Earth Yako striking research organizations and think tanks in the country.
The activity, observed as recently as January 2023, is a continuation of a previously known campaign referred to as Operation RestyLink. A subset of the attacks also targeted entities located in Taiwan.
“The intrusion set introduced new tools and malware within a short period of time, frequently changing and expanding its attack targets,” Trend Micro said, pointing out Earth Yako’s modus operandi of “actively changing their targets and methods.”
The starting point is a spear-phishing email that masquerades as invitations to public events. The messages contain a malicious URL that points to a payload, which, in turn, is responsible for downloading the malware onto the system.
The attacks are also characterized by a trove of custom tools comprising droppers (PULink), loaders (Dulload, MirrorKey), stagers (ShellBox), and backdoors (PlugBox, TransBox).
PlugBox, ShellBox, and TransBox, as the names imply, take advantage of Dropbox APIs to retrieve next-stage malware from a remote server hard-coded in a GitHub repository, receive commands, and harvest and exfiltrate data.
The exact origins of Earth Yako remain unknown, but Trend Micro said it identified partial technical overlaps between the group and other threat actors like Darkhotel, APT10 (aka Stone Panda), and APT29 (aka Cozy Bear or Nobelium).
“One of the characteristics of the recent targeted attacks is that they shifted to targeting the individuals considered to have relatively weak security measures compared to companies and other organizations,” the company said.
“This shift to targeting individuals over enterprises is highlighted by the targeting and abuse of Dropbox as it is considered a popular service in the region among users for personal use, but not for organizations.”