People interested in everything related to North Korea are attacked by very specific malware.
Cybersecurity researchers from Trend Micro (opens in a new tab) (By Beeping Computer) recently observed that Earth Kitsune, an emerging cybercriminal, hacked a pro-Korean website and then used the website to deliver a backdoor dubbed WhiskerSpy.
Malware allows cybercriminals to steal files, take screenshots, and install additional malware on the compromised endpoint.
WhisperSpy malware
According to the researchers, when some people visit a website and want to run video content, they will first be asked to install a video codec. People who fall for this trick will download a modified version of a legitimate codec (Codec-AVC1.msi) that installs the WhiskerSpy backdoor.
The backdoor provides cybercriminals with a number of different capabilities, including downloading files to the compromised endpoint, uploading files, deleting them, displaying them, taking screenshots, loading executable files and causing them to export, and injecting shellcode into processes.
The backdoor then communicates with the Malware Command and Control (C2) server using a 16-byte AES encryption key.
But not all visitors are at risk. In fact, it’s likely that only a small fraction of visitors are targeted, as Trend Micro discovered that the backdoor only activates when visitors from Shenyang, China, or Nagoya, Japan access the site.
In fact, people from Brazil would also be asked to download the backdoor, but the researchers believe that Brazil was only used to check whether the attack works or not.
Eventually, researchers discovered that the IP addresses in Brazil belonged to a commercial VPN service.
Once installed, the malware does its best to stay on your device. Apparently, Earth Kitsune uses the native news host in Google Chrome to install a malicious extension called Google Chrome Helper. This extension will run a payload every time the browser is launched.