Researching North Korea online? You could be victim of a malware attack
A backdoor is being installed on pro-North Korean websites
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
People with an interest in all things North Korea are being targeted with a very specificmalware.
Cybersecurity researchers fromTrend Micro(viaBleepingComputer) have recently observed Earth Kitsune, a nascent threat actor, breaching a pro-North Korea website, and then using that site to deliver a backdoor dubbed WhiskerSpy.
The malware allows the threat actors to steal files, take screenshots, and deploy additional malware to the compromised endpoint.
TechRadar Pro needs you!
We want to build a better website for our readers, and we need your help! You can do your bit by filling outour surveyand telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.
D. Athow, Managing Editor
WhisperSpy malware
According to the researchers, when certain people visit the website and look to run video content, they’ll be prompted to install a video codec first. Those that fall for the trick would download a modified version of a legitimate codec (Codec-AVC1.msi), which installs the WhiskerSpy backdoor.
The backdoor grants the threat actors a number of different capabilities, including downloading files to the compromised endpoint, uploading files, deleting them, listing them, taking screenshots, loading executables and calling its export, and injecting shellcode into processes.
The backdoor then communicates with the malware’s command and control (C2) server, using a 16-byte AES encryption key.
But not all visitors are at risk. In fact, chances are that only a small portion of the visitors are being targeted, as Trend Micro discovered that the backdoor only activates when visitors from Shenyang, China, or Nagoya, Japan, open the site.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
North Korean hackers target phones, Windows devices with new malware>FBI confirms North Korean Lazarus Group was behind major Harmony crypto heist>We’ve also listed the best endpoint protection services around
Truth be told, people from Brazil would also be prompted to download the backdoor, but researchers believe Brazil was only used to test if the attack works or not.
After all, the researchers found the IP addresses in Brazil belonged to a commercial VPN service.
Once installed, the malware goes to lengths to persist on the device. Apparently, Earth Kitsune uses the native messaging host inGoogle’s Chrome browser to install a malicious extension called Google Chrome Helper. This extension would run the payload every time the browser starts.
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new malware utilizes a rare programming language to evade traditional detection methods
A new form of macOS malware is being used by devious North Korean hackers
Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time
