Nation-state Hackers Target Journalists with Goldbackdoor Malware, Hacks, Malware, Vulnerabilities, Web Security, Mobile Security, Privacy

A campaign by APT37 used a sophisticated malware to steal information about sources , which appears to be a successor to Bluelight.

Sophisticated hackers believed to be tied to the North Korean government are actively targeting journalists with novel malware dubbed Goldbackdoor. Attacks have consisted of multistage infection campaign with the ultimate goal of stealing sensitive information from targets. The campaign is believed to have started in March and is ongoing, researchers have found.

Researchers at Stairwell followed up on an initial report from South Korea’s NK News, which revealed that a North Korean APT known as APT37 had stolen info from the private computer of a former South Korean intelligence official. The threat actor–also known as Ricochet Collima, InkySquid, Reaper or ScarCruft—attempted to impersonate NK News and distributed what appeared to be a novel malware in an attempt to target journalists who were using the official as a source, according to the report.

NK News passed details to Stairwell for further investigation. Researchers from the cybersecurity firm uncovered specific details of the malware, called Goldbackdoor. The malware is likely a successor of the Bluelight malware, according to a report they published late last week.

“The Goldbackdoor malware shares strong technical overlaps with the Bluelight malware,” researchers wrote. “These overlaps, along with the suspected shared development resource and impersonation of NK News, support our attribution of Goldbackdoor to APT37.”

APT37 was previously seen using Bluelight as a secondary payload last August in a series of watering hole attacks against a South Korean newspaper that used known Internet Explorer vulnerabilities.

As Stairwell researchers noted, journalists are “high-value targets for hostile governments,” and often the target of cyber-espionage attacks. In fact, one of the biggest security stories of last year was various governments’ use of the NGO Group’s Pegasus spyware against journalists, among other targets.

“[Journalists] often are aggregators of stories from many individuals–sometimes including those with sensitive access,” Stairwell researchers wrote. “Compromising a journalist can provide access to highly-sensitive information and enable additional attacks against their sources.”

Multi-Stage Malware

The current campaign saga unfolded beginning March 18, when NK News shared “multiple malicious artifacts with the Stairwell threat research team from a spear-phishing campaign targeting journalists who specialize in the DPRK,” researchers wrote. The messages were sent from the personal email of a former director of South Korea’s National Intelligence Service, NIS.

“One of these artifacts was a new malware sample we have named Goldbackdoor, based on an embedded development artifact,” they wrote.

Goldbackdoor is a multi-stage malware that separates the first stage tooling and the final payload, which allows the threat actor to halt deployment after initial targets are infected, researchers said.

“Additionally, this design may limit the ability to conduct retrospective analysis once payloads are removed from control infrastructure,” they wrote in the report.

The malware, like Bluelight before it, uses cloud service providers for receiving actor commands and exfiltrating data. The sample specifically analyzed by researchers used Microsoft OneDrive and Graph APIs, while an additional identified sample SHA256 hash used Google Drive.

Embedded within the malware are a set of API keys used to authenticate against Microsoft’s cloud computing platform Azure and retrieve commands for execution, researchers said.

“Goldbackdoor provides attackers with basic remote command execution, file downloading/uploading, keylogging, and the ability to remotely uninstall,” they wrote. “This functionality and implementation closely match Bluelight; however, the increased focus appears to have been placed on file collection and keylogging.”

Stage One

Goldbackdoor is a sophisticated malware that researchers broke down into two stages. In stage one, a victim must download a ZIP file from a compromised site, https[:]//main[.]dailynk[.]us/regex?id=oTks2&file=Kang Min-chol Edits2.zip, which executes a compressed Windows shortcut.

“The domain dailynk[.]us was likely chosen to impersonate NK News (dailynk[.]com),” researchers said, and had been previously used by APT37 in a previous campaign.

Stairwell researchers retrieved the ZIP file for analysis from a DNS history of the site, which had stopped resolving already by the time of their investigation. They identified that the file was created on March 17 and contained a 282.7 MB Windows shortcut file LNK named Kang Min-chol Edits, likely a reference to Kang Min-chol, North Korea’s Minister of Mining Industries.

“The attackers masqueraded this shortcut as a document, using both the icon for Microsoft Word and adding comments similar to a Word document,” researchers wrote.

They also padded the LNK file 0x90, or NOP/No Operation, bytes to artificially increase the size of this file, potentially as a means of preventing upload to detection services or malware repositories they said.

Once executed, the LNK executes a PowerShell script that writes and opens a decoy document before starting the deployment process of Goldbackdoor, researchers said.

Stage Two

After deploying the decoy document, the PowerShell script decodes a second PowerShell script that then will download and execute a shellcode payload XOR—named “Fantasy” stored on Microsoft OneDrive.

 That Fantasy payload is the second stage of the malware’s process, and the first of a two-part final process for deploying Goldbackdoor, researchers said.

“Both parts are written in position-independent code (shellcode) containing an embedded payload, and use process injection to deploy Goldbackdoor,” they wrote.

Fantasy parses and decodes the payload and uses a standard process involving VirtualAllocEx,WriteProcessMemory, and RtlCreateUserThread to spawn a thread under the previously created process in order to execute it, researchers said.

The final dropper is a shellcode payload running as that thread in a process created by Fantasy to execute the final deployment of the malware.

“The payload delivered by this stage is a Windows Portable Executable PE file for Goldbackdoor,” researchers wrote.

TECH NEWS RELATED

Instagram tests AI tool for age verification

Image by Instagram Instagram is testing new options for users to verify their age. The photo-sharing social media platform began asking people to provide their age in 2019. Knowing people’s age allows Instagram to provide appropriate experiences to different age groups, for example, to prevent teens from unwanted contact ...

View more: Instagram tests AI tool for age verification

Crooks impersonate MetaMask to target crypto investors on Microsoft

Image by Shutterstock A credential phishing attack that spoofed popular crypto wallet MetaMask to bypass Microsoft 365 defenses has been detected by cyber watchdog Armorblox. The social engineering scam took the form of an email purporting to be from the crypto app’s support team, which urged the unwary to ...

View more: Crooks impersonate MetaMask to target crypto investors on Microsoft

Fancy Bear Uses Nuke Threat Lure to Exploit 1-Click Bug

The APT is pairing a known Microsoft flaw with a malicious document to load malware that nabs credentials from Chrome, Firefox and Edge browsers. Advanced persistent threat group Fancy Bear is behind a phishing campaign that uses the specter of nuclear war to exploit a known one-click Microsoft flaw. ...

View more: Fancy Bear Uses Nuke Threat Lure to Exploit 1-Click Bug

Russia ramps up efforts to hack Ukraine’s allies, Microsoft says

Image by Shutterstock Russian cyber spies went into overdrive following Moscow’s invasion of Ukraine in February, launching multiple attacks against Kyiv’s allies. Estonia is a notable exception. Russian intelligence agencies had stepped up network penetration and espionage activities against 42 countries outside Ukraine since the war broke out, a ...

View more: Russia ramps up efforts to hack Ukraine’s allies, Microsoft says

Want to break into cybersecurity? Consider building your pentest lab

Many job applicants get rejected due to a lack of experience. One of the ways to break into cybersecurity and build authority is to create your own security lab. The sentiment highlighted below is very common amongst entry-level cybersecurity aspirants, whether you see it on Stack Overflow, LinkedIn, or ...

View more: Want to break into cybersecurity? Consider building your pentest lab

Historic college’s data leak leaves 24k students exposed

Image by Shutterstock Kenyon College in Ohio left more than 24,000 students at risk from a leaking database that exposed their personal information including passwords. A dataset, containing full student names, university addresses, and hashed passwords was left accessible to the public, the Cybernews team found. The 4,7GB-strong database, ...

View more: Historic college’s data leak leaves 24k students exposed

Microsoft quits its creepy, emotion-reading A.I.

Microsoft announced it will stop the development and distribution of controversial emotion-reading software as big tech companies pivot toward privacy and security. The company also says it will heavily restrict its own facial recognition platform. Microsoft’s shift away from emotional recognition software is another sign of big tech’s growing prioritization ...

View more: Microsoft quits its creepy, emotion-reading A.I.

QNAP NAS users should download this update immediately

PSA: Anyone using a QNAP NAS while running nginx and php-fpm should probably update its firmware now. QNAP has released a security update addressing an nginx vulnerability, the latest in a series of security issues facing the company since January. The NAS company announced this week that it has fixed ...

View more: QNAP NAS users should download this update immediately

Sniffing out your identity with breath biometrics

What was the first computer virus released in the wild?

Brave Now Lets You Customize Search Results—for Better or Worse

Privacy-focused Brave Search grew by 5,000% in a year

BlockFi Withdrawals Drop, Bitcoin Mining Difficulty, New NFT Wallets, 3 Crypto Films + More News

You’ve Been Warned: Overlook Security Basics at Your Peril

A simple tool to make websites more secure and curb hacking

Moon could have its own nuclear power plant by 2030

Scams and cryptocurrency can go hand in hand. How they work and what to watch out for

Gamification of Ethical Hacking and Hacking Esports

Discovery of 56 OT Device Flaws Blamed on Lackluster Security Culture

Elusive ToddyCat APT Targets Microsoft Exchange Servers

OTHER TECH NEWS

Top Car News Car News