Cybersecurity researchers have uncovered a new backdoor known as WhiskerSpy, which has been deployed by a relatively new but advanced threat actor group named Earth Kitsune. This group has become well-known for targeting individuals who have demonstrated an interest in North Korea.
To execute their attack, the Earth Kitsune group has utilized a method known as a watering hole attack, which is a proven and effective tactic for gaining access to a target's system. In this attack, the threat actors identify a website that is frequently visited by their targeted audience and infect it with malware that enables them to gain access to the visitors' devices when they visit the site. In this specific case, the website that was compromised is a pro-North Korea website, which is frequently visited by individuals who are interested in the country.
Security researchers have been monitoring Earth Kitsune's activities since 2019 and discovered this latest campaign towards the end of the previous year. This discovery is significant, as it highlights the fact that even relatively new threat actors are becoming increasingly advanced and pose a significant threat to individuals and organizations alike.
The WhiskerSpy Infection Uses a Watering Hole Attack Tactic
The WhiskerSpy backdoor is delivered to visitors who attempt to watch videos on a compromised website. The attacker has injected a corrupted script into the website, which prompts visitors to install a video codec that is supposedly required to run the displayed video content. To avoid detection, the attacker modified a legitimate codec installer so that it ultimately loads a previously unseen backdoor on the victim's system.
According to researchers, the threat actors targeted only visitors to the website who had IP addresses from Shenyang, China, Nagoya, Japan and Brazil. It is suspected that Brazil was used for testing the watering hole attack using a VPN connection, and the real targets were visitors from the two cities in China and Japan. Relevant victims would receive a fake error message that prompted them to install a codec to watch the video. However, the codec was, in reality, an MSI executable that installed a shellcode on the victim's computer, triggering a series of PowerShell commands that ultimately deployed the WhiskerSpy backdoor.
In this campaign, Earth Kitsune used several persistence techniques to remain undetected. One such method is the abuse of the native messaging host in Google Chrome, which had installed a compromised Google Chrome extension called Google Chrome Helper. The extension allowed for the execution of the payload every time the browser started. Another utilized technique leverages OneDrive side-loading vulnerabilities, which enabled the dropping of an unsafe file (fake 'vcruntime140.dll') in the OneDrive directory.
WhiskerSpy Has an Expansive List of Threatening Functionalities
WhiskerSpy is the final payload deployed as part of the Earth Kitsune attack campaign. The backdoor provides remote operators with various capabilities, such as an interactive shell, the ability to download, upload and delete files, list files, take screenshots, load executables and inject shellcode into a process.
To maintain communication with the command and control (C2, C&C) server, WhiskerSpy utilizes a 16-byte AES key for encryption. The backdoor periodically connects to the C2 server to receive updates about its status, and the server may respond with instructions for the malware, such as executing shell commands, injecting code into another process, exfiltrating specific files or taking screenshots.
Researchers have discovered an earlier version of WhiskerSpy that used the FTP protocol instead of HTTP for C2 communication. This older variant also checked for the presence of a debugger upon execution and informed the C2 of the appropriate status code. These findings highlight the constant evolution of malware as attackers adapt and refine their tools and techniques to evade detection and increase their effectiveness. It emphasizes the need for robust and up-to-date security measures to protect against such threats.