APT37, a group of North Korean state-sponsored hackers targeting journalists who specialize in the DPRK, has created a novel malware strain in which to infest these journalists.
As a matter of fact, according to NK News, a website in the United States, this malware was distributed through phishing attacks.
On this site, you’ll find all the latest news and information, as well as research and analysis about North Korea, based on what’s available from within the country.
North Korean Hacking Group APT37
The APT37 group is believed to be a North Korean government state-sponsored hacking group that is also known as Ricochet Chollima.
In addition to contacting Stairwell for further assistance after discovering the attack, NK News offered assistance to the malware experts from Stairwell, who took over the technical analysis on their own.
The Stairwell security team has discovered a new malware sample that is known as “Goldbackdoor.” While this new malware sample has been identified as a successor to “Bluelight.”
APT37 has been tied to malware campaigns targeting journalists before, so this is not the first time this has been happening.
The most recent report in this category was published in November 2021, in which the highly customizable backdoor “Chinotto” was employed.
Infection
Emails that contained phishing links originated from the account of the former director of South Korea’s NIS, which had previously been compromised by APT37.
There were two stages in the infection process for this highly-targeted campaign. In addition to providing the threat actors with more deployment options, two-stage infections made it hard to sample payloads from the compromised computers.
A link to download ZIP archives containing LNK files were sent to the journalists through the emails they received, spelled ‘Kang Min-chol edits’ and Kang Min-chol is the Minister of Mining Industries in North Korea.
By using padding, an increased length of 282.7 MB has been artificially obtained by hiding the LNK file as a document icon. Making it difficult for users to easily upload files to the online malware scanning tool, Virus Total.
Abilities
On the compromised system the threat actors can perform or get the following abilities t have mentioned below:-
- Keylogging
- File operations
- RCE
- Uninstall itself
- Exfiltration of files
And to do so, the threat actors use legit cloud services like:-
- Google Drive
- Microsoft OneDrive
Documents & Media Targeted by Goldbackdoor
Here below have mentioned all the documents and media files that are targeted by the Goldbackdoor:-
- DOCX
- MP3
- TXT
- M4A
- JPC
- XLS
- PPT
- BIN
- 3GP
- MSG
The infosec community is still thinking long and hard about the discovery, exposure, detection rules, and associated file hashes and checks resulting from such a highly targeted campaign.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
