Security experts have found a brand-new backdoor used in a campaign by a relatively recent advanced threat actor known as Earth Kitsune, who primarily targets those interested in North Korea named WhiskerSpy. The attacker employed a tried-and-true strategy known as a “watering hole attack,” selecting victims from users of a website that supported North Korea. Researchers at cybersecurity firm Trend Micro, who have been monitoring Earth Kitsune activity since 2019, found the new operation towards the end of last year.
According to Trend Micro, WhiskerSpy was sent when users attempted to watch videos on the website. The attacker infiltrated the website and included a malicious script requiring the user to install a video codec for the material to play. The threat actor altered a trustworthy codec installer so that it finally installed “a previously unseen backdoor” on the victim’s PC to evade suspicion. The researchers said that the threat actor only targeted website users with IP addresses from Brazil, Shenyang, China, and Nagoya, Japan.
It’s possible that Brazil was just utilized to test the watering hole assault via a VPN connection, with visitors from the two locations in China and Japan serving as the actual targets. The fictitious error message below would be displayed to pertinent victims, instructing them to install a codec to view the video. The WhiskerSpy backdoor is deployed via a sequence of PowerShell commands triggered by the MSI executable shellcode that the codec installs on the victim’s PC.
Researchers have discovered that one persistence method employed by Earth Kitsune in this campaign exploits Google Chrome’s native message host and adds a malicious Google Chrome plugin called Google Chrome Helper. The extension’s function is to enable payload execution each time the browser launches. Employing OneDrive side-loading flaws that let a malicious file (fake “vcruntime140.dll”) be dropped in the OneDrive directory is the other way to achieve persistence.
The primary payload in the most recent “Earth Kitsune” campaign, WhiskerSpy, gives remote operators the following abilities:
- interactive shell
- list files
- upload file
- download file
- delete file
- load executable and call its export
- take screenshot
- inject shellcode into a process
Using a 16-byte AES key for encryption, the backdoor talks with the command and control (C2) server. The server may react with instructions for the malware, such as executing shell commands, injecting code into another process, exfiltrating certain data, or capturing pictures. WhiskerSpy frequently connects to the C2 for information regarding its status.
An older version of WhiskerSpy that used FTP rather than HTTP for C2 communication has been found by Trend Micro. This earlier variant notifies the C2 with the proper status code and checks for a debugger upon execution. However, the modus operandi and the targets are comparable to actions previously linked to the organization. It should be noted that the researchers’ confidence in linking this watering hole attack to Earth Kitsune is moderate.
