Goldbackdoor Malware

An APT (Advanced Persistent Threat) group believed to have ties to the North Korean government has been targeting journalists with a new sophisticated backdoor threat named the Goldbackdoor malware. The particular hacker group is tracked by cybersecurity organizations under several different names - APT37, InkySquid, Reaper, ScarCruft and Ricochet Collima.

The threatening operation is believed to have started at some point in March 2022 with the primary goal of collecting sensitive information from the targets. So far, infosec researchers have identified that data has been taken from the private computer of a former South Korean intelligence official. The operation begins with spear-phishing attempts, where the hackers pose as the legitimate NK News entity.

Details about the Goldbackdoor Malware

Analysis of the threat carried out by researchers has revealed that Goldbackdoor is a multi-stage malware with an expanded set of threatening capabilities. Due to the significant similarities and overlap within the code and its behavior, the experts state that the new threat is most likely a successor of the Bluelight malware, one of the harmful instruments used by APT37 in the past.

The hackers have split the operation of the threat into a first tooling stage and a second one where the final payload is delivered. This design allows the attackers to halt the operation after initial successful infection of the targeted devices. It also makes potential retrospective analysis of the threat, after the payloads have been removed from the infrastructure that much harder.

Once enabled, Goldbackdoor provides the threat actors with the ability to execute remote commands, exfiltrate data, collect files or download additional ones to the breached machine, establish keylogging routines and more. The hackers also can instruct the threat to uninstall itself remotely from the compromised system. To receive the incoming commands from the hackers, Goldbackdoor utilizes cloud service providers and comes equipped with a set of API keys allowing it to authenticate against Microsoft's Azure cloud computing platform.

Goldbackdoor Malware Video

Tip: Turn your sound ON and watch the video in Full Screen mode.