IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Chinotto spyware spies on North Korean defectors and activists

Long term operation by ScarCruft hackers has been linked to the North Korean government

New spyware has been discovered by security researchers that snoops on North Korean defectors and journalists that cover news on the Korean peninsula.

Dubbed Chinotto, the spyware is linked to a gang of hackers called ScarCruft, a group is linked to the North Korean government. The hackers are also known as APT37 or Temp.Reaper.

"The actor utilized three types of malware with similar functionalities: versions implemented in PowerShell, Windows executables, and Android applications," said researchers at Kaspersky. 

"Although intended for different platforms, they share a similar command and control scheme based on HTTP communication. Therefore, the malware operators can control the whole malware family through one set of command-and-control scripts."

According to a blog post by Kaspersky, hackers contact an acquaintance of the victim using the victim’s stolen Facebook account and already knew that the potential target ran a business related to North Korea and asked about its current status. 

Following conversations on Facebook, a spear-phishing email is sent to the potential victim using a stolen email account. This email contains a password protected RAR archive with the password shown in the email body. The RAR file contains a malicious Word document that acts as a lure related to North Korea.

This word document when opened executes a macro and decrypts another payload embedded in the document. This Visual Basic Application (VBA) payload contains shellcode as a hex string. This script is responsible for injecting the shellcode into the process notepad.exe. The shellcode contains the URL to fetch the next stage payload. After fetching the payload, the shellcode decrypts it with trivial single-byte XOR decryption.

Researchers couldn’t gather the final payload when they investigated this sample. However, they did work out that one of the malware’s victims was breached on March 22, 2021, based on a file timestamp.

The Chinotto malware collected screenshots and exfiltrated them between August 6, 2021, and September 8, 2021. 

In addition to a Windows version, Chinotto also has an Android version that carries out similar tasks. Researchers said the Android malware requests excessive permissions according to the AndroidManifest.xml file

Related Resource

Protecting every edge to make hackers’ jobs harder, not yours

How to support and secure hybrid architectures

White square with whitepaper title on top of a background image of a building and pavementFree download

“To achieve its purpose of spying on the user, these apps ask users to enable various sorts of permissions. Granting these permissions allows the apps to collect sensitive information, including contacts, messages, call logs, device information, and audio recordings,” said researchers.

"Many journalists, defectors, and human rights activists are targets of sophisticated cyberattacks," they added. "Unlike corporations, these targets typically don't have sufficient tools to protect against and respond to highly skilled surveillance attacks."

Featured Resources

Mastering retention

Turning user behaviour insights into retention strategies

Free Download

Dell PowerEdge with AMD

IT applications and infrastructure are the prime catalyst for new revenue creation

Free Download

Building for success with off-premises private cloud

Leveraging co-location facilities to execute your cloud strategy

Free Download

Cyber resiliency and end-user performance

Reduce risk and deliver greater business success with cyber-resilience capabilities

Free Download

Most Popular

46 US states call for Meta monopoly lawsuit to be reinstated
mergers and acquisitions

46 US states call for Meta monopoly lawsuit to be reinstated

20 Sep 2022
Anonymous hacks Iranian government and state broadcasters
cyber attacks

Anonymous hacks Iranian government and state broadcasters

22 Sep 2022
Why collaboration is key to digital transformation

Why collaboration is key to digital transformation

13 Sep 2022