Researching North Korea online? You could be victim of a malware attack

People with an interest in all things North Korea are being targeted with a very specific malware . Cybersecurity researchers from Trend M...

People with an interest in all things North Korea are being targeted with a very specific malware.

Cybersecurity researchers from Trend Micro (via BleepingComputer) have recently observed Earth Kitsune, a nascent threat actor, breaching a pro-North Korea website, and then using that site to deliver a backdoor dubbed WhiskerSpy.

The malware allows the threat actors to steal files, take screenshots, and deploy additional malware to the compromised endpoint.

WhisperSpy malware

According to the researchers, when certain people visit the website and look to run video content, they’ll be prompted to install a video codec first. Those that fall for the trick would download a modified version of a legitimate codec (Codec-AVC1.msi), which installs the WhiskerSpy backdoor.

The backdoor grants the threat actors a number of different capabilities, including downloading files to the compromised endpoint, uploading files, deleting them, listing them, taking screenshots, loading executables and calling its export, and injecting shellcode into processes.

The backdoor then communicates with the malware's command and control (C2) server, using a 16-byte AES encryption key.

But not all visitors are at risk. In fact, chances are that only a small portion of the visitors are being targeted, as Trend Micro discovered that the backdoor only activates when visitors from Shenyang, China, or Nagoya, Japan, open the site. 

Truth be told, people from Brazil would also be prompted to download the backdoor, but researchers believe Brazil was only used to test if the attack works or not. 

After all, the researchers found the IP addresses in Brazil belonged to a commercial VPN service.

Once installed, the malware goes to lengths to persist on the device. Apparently, Earth Kitsune uses the native messaging host in Google’s Chrome browser to install a malicious extension called Google Chrome Helper. This extension would run the payload every time the browser starts.



from TechRadar - All the latest technology news https://ift.tt/DYJfju6
via IFTTT

COMMENTS

BLOGGER
Name

Apps,3858,Business,151,Camera,1155,Earn $$$,3,Gadgets,1741,Games,926,GTA,1,Innovations,3,Mobile,1697,Paid Promotions,5,Promotions,5,Sports,1,Technology,8106,Trailers,796,Travel,37,Trending,4,Trendly News,25335,TrendlyNews,183,Video,5,XIAOMI,13,YouTube - 9to5Google,182,
ltr
item
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews: Researching North Korea online? You could be victim of a malware attack
Researching North Korea online? You could be victim of a malware attack
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews
http://www.trendlynews.in/2023/02/researching-north-korea-online-you.html
http://www.trendlynews.in/
http://www.trendlynews.in/
http://www.trendlynews.in/2023/02/researching-north-korea-online-you.html
true
3372890392287038985
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share. STEP 2: Click the link you shared to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy