In spear-phishing emails, watering holes, and smishing attacks, North Korean state hacking organization APT37 is targeting South Korean journalists, human rights activists, and defectors using malware nicknamed Chinotto capable of infecting Android and Windows devices.
APT37, also known as Reaper, has been operating since 2012 and is an advanced persistent threat organization (APT) that FireEye believes is tied to the North Korean government. It’s also known as StarCruft (Kaspersky Lab), Group123 (Cisco Talos), or FreeMilk (Palo Alto Networks) by other security firms. The gang has a history of targeting people with ties to the North Korean state, such as journalists, diplomats, and government officials.
Chinotto, a malware uncovered by Kaspersky security experts in their most recent campaign, allows the hacker organization to take control of infected devices, spy on users via screenshots, implant other payloads, capture data of interest and transfer it to attacker-controlled servers.
This backdoor was sent to victims’ devices months after the original attacks, according to Kaspersky. The hackers waited up to six months in one case before installing Chinotto, which allowed them to steal essential data from the compromised device. Chinotto is a highly configurable malware, as seen by the several variations discovered when investigating the campaign, with multiple payloads sometimes being released on the same compromised device.
The malware’s Windows and Android variants employ the same command-and-control communication structure and primarily transport the stolen data to South Korea’s web servers. On infected devices, the Android variations seek additional permissions. Once granted, Chinotto may exploit them to gather a lot of sensitive information, including the victims’ contacts, text messages, call records, device information, and even audio recordings.
If it detects and takes the victim’s credentials, APT37 operators can use the stolen credentials to contact new targets via email and social media.
To summarize, the actor used a spear-phishing attack for Windows systems and smishing for Android devices to target victims. The actor uses Windows executable and PowerShell versions to manipulate Windows devices.