Torisma Spyware

The Torisma Spyware is a spyware tool used as a second-stage payload in an attack campaign attributed to North Korean, state-sponsored hacker groups. The attacks were focused on aerospace and defense contractors based in Russia and India specifically, as well as ISPs (Internet Service Providers) from Australia, Israel and Russia.

Before deploying Torisma, the hackers used a first-stage malware to determine if the victim was among a list of particular entities of interest. The implant first gathers various system data such as IP address, date, user, etc. and compares it with its list of predetermined targets. This tactic allows the hackers to minimize the presence of their malware tools on the compromised victims and fully set up their operations on the intended targets only.

When initiated, the Torisma Spyware can execute custom shellcode all the while it is snooping for any new drives being added to the system actively or if any remote desktop connections are initiated.

Legitimate Websites Hacked in Torisma Distribution Campaign

To propagate Torisma successfully, the North Korean hackers employed spear-phishing emails that carried weaponized documents pretending to be job offers. The attackers abused legitimate job recruitment sources from popular US defense contractor websites to make the corrupted attachments appear as legitimate as possible and to entice victims into executing them. Furthermore, certain Command-and-Control (C2, C&C) operations were deployed through genuine websites that had been compromised. The affected websites were either from the US or Italy and belonged to a printing company, an auction house and an IT training firm.