APT37, a group of North Korean state-sponsored hackers, has been identified as using a new malware strain to target journalists covering the DPRK. The malware is spread via a phishing attempt initially uncovered by NK News, an American news organization committed to reporting North Korean news and delivering research and analysis based on insider information.
The APT37 hacking organization, also known as Ricochet Chollima, is thought to be funded by the North Korean government, which views news reporting as hostile activity. The group intended to exploit this attack to access sensitive material and perhaps identify journalists’ sources.
After NK News became aware of the attack, they called Stairwell’s malware experts for aid, who took up the technical analysis. “Goldbackdoor,” a new malware sample discovered by Stairwell, was assessed as a successor to “Bluelight.” It’s worth remembering that APT37 has previously been involved in malware attacks aimed at journalists, the most recent was a November 2021 report that included the highly configurable “Chinotto” backdoor.
The phishing emails came from a former director of South Korea’s National Intelligence Service (NIS) account, which APT37 had previously hacked. The highly targeted effort used a two-stage infection procedure, giving threat actors additional deployment flexibility while making it difficult for investigators to sample payloads. The journalists were given emails with a link to download ZIP archives containing LNK files, both titled ‘Kang Min-chol changes.’ North Korea’s Minister of Mining Industries is Kang Min-chol.
The LNK file (Windows shortcut) is masked as a document icon and padded to make it 282.7 MB in size, making it difficult to send to Virus Total and other internet detection systems. When a PowerShell script is run, it opens a fake document (doc) to distract the user while another script is decoded in the background. When the phony document was viewed, it featured an embedded external picture housed on the Heroku platform, which alerted the threat actors.
The second script downloads and runs a shellcode payload from Microsoft OneDrive, a valid cloud-based file hosting service that is unlikely to trigger security warnings. According to Stairwell, this payload is known as “Fantasy,” and it’s the first of the two deployment methods of Goldbackdoor, both of which rely on stealthy process injection.
Goldbackdoor is a portable executable (PE) file that can receive simple instructions and exfiltrate data from a remote location. It comes with a set of API keys, which it uses to authenticate with Azure and get commands for execution. These commands cover keylogging, file manipulations, basic RCE, and the ability to remove oneself.
The malware takes advantage of genuine cloud services for file exfiltration, with Stairwell identifying exploitation of both Google Drive and Microsoft OneDrive. Goldbackdoor primarily targets documents and media formats such as PDF, DOCX, MP3, TXT, M4A, JPC, XLS, PPT, BIN, 3GP, and MSG. The discovery, disclosure, and consequent detection rules and file hashes accessible in Stairwell’s technical report are still relevant for the infosec community, even though this was a highly targeted effort.