Chinotto spyware spies on North Korean defectors and activists

Long term operation by ScarCruft hackers has been linked to the North Korean government

New spyware has been discovered by security researchers that snoops on North Korean defectors and journalists that cover news on the Korean peninsula.

Dubbed Chinotto, the spyware is linked to a gang of hackers called ScarCruft, a group is linked to the North Korean government. The hackers are also known as APT37 or Temp.Reaper.

"The actor utilized three types of malware with similar functionalities: versions implemented in PowerShell, Windows executables, and Android applications," said researchers at Kaspersky. 

"Although intended for different platforms, they share a similar command and control scheme based on HTTP communication. Therefore, the malware operators can control the whole malware family through one set of command-and-control scripts."

According to a blog post by Kaspersky, hackers contact an acquaintance of the victim using the victim’s stolen Facebook account and already knew that the potential target ran a business related to North Korea and asked about its current status. 

Following conversations on Facebook, a spear-phishing email is sent to the potential victim using a stolen email account. This email contains a password protected RAR archive with the password shown in the email body. The RAR file contains a malicious Word document that acts as a lure related to North Korea.

This word document when opened executes a macro and decrypts another payload embedded in the document. This Visual Basic Application (VBA) payload contains shellcode as a hex string. This script is responsible for injecting the shellcode into the process notepad.exe. The shellcode contains the URL to fetch the next stage payload. After fetching the payload, the shellcode decrypts it with trivial single-byte XOR decryption.

Researchers couldn’t gather the final payload when they investigated this sample. However, they did work out that one of the malware’s victims was breached on March 22, 2021, based on a file timestamp.

The Chinotto malware collected screenshots and exfiltrated them between August 6, 2021, and September 8, 2021. 

In addition to a Windows version, Chinotto also has an Android version that carries out similar tasks. Researchers said the Android malware requests excessive permissions according to the AndroidManifest.xml file

Related Resource

Protecting every edge to make hackers’ jobs harder, not yours

How to support and secure hybrid architectures

White square with whitepaper title on top of a background image of a building and pavementFree download

“To achieve its purpose of spying on the user, these apps ask users to enable various sorts of permissions. Granting these permissions allows the apps to collect sensitive information, including contacts, messages, call logs, device information, and audio recordings,” said researchers.

"Many journalists, defectors, and human rights activists are targets of sophisticated cyberattacks," they added. "Unlike corporations, these targets typically don't have sufficient tools to protect against and respond to highly skilled surveillance attacks."

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now


Bahrain targets activists with NSO's Pegasus spyware

Bahrain targets activists with NSO's Pegasus spyware

24 Aug 2021

Most Popular

Sony pulls out of MWC 2022
Business operations

Sony pulls out of MWC 2022

14 Jan 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Dell XPS 15 (2021) review: The best just got better

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022