A state-backed threat actor with ties to the Democratic People’s Republic of Korea (DRPK) has been attributed to a spear-phishing campaign targeting journalists covering the country with the ultimate goal of deploying a backdoor on infected Windows systems.
The intrusions said to be the work of Ricochet Chollima, resulted in the deployment of a novel malware strain called GOLDBACKDOOR, an artifact that shares technical overlaps with another malware named BLUELIGHT, which has been previously linked to the group.
“Journalists are high-value targets for hostile governments,” cybersecurity firm Stairwell said in a report published last week. “Compromising a journalist can provide access to highly-sensitive information and enable additional attacks against their sources.”
Ricochet Chollima, also known as APT37, InkySquid, and ScarCruft, is a North Korean-nexus targeted intrusion adversary that has been involved in espionage attacks since at least 2016. The threat actor has a track record of targeting the Republic of Korea with a noted focus on government officials, non-governmental organizations, academics, journalists, and North Korean defectors.
In November 2021, Kaspersky unearthed evidence of the hacking crew delivering a previously undocumented implant called Chinotto as part of a new wave of highly-targeted surveillance attacks, while other prior operations have made use of a remote access tool called BLUELIGHT.
Stairwell’s investigation into the campaign comes weeks after NK News disclosed that the lure messages were sent from a personal email address belonging to a former South Korean intelligence official, ultimately leading to the deployment of the backdoor in a multi-stage infection process to evade detection.
The email messages were found to contain a link to download a ZIP archive from a remote server designed to impersonate the North Korea-focused news portal. Embedded within the file is a Windows shortcut file that acts as a jumping-off point to execute the PowerShell script, which opens a decoy document while simultaneously installing the GOLDBACKDOOR backdoor.
The implant, for its part, is fashioned as a Portable Executable file that’s capable of retrieving commands from a remote server, uploading and downloading files, recording files, and remotely uninstalling itself from the compromised machines. Read this: https://bit.ly/3xWqTMX
You can also read this: Blockchain companies warned of North Korean hackers