A new cybercriminal campaign has been observed in the wild, allegedly launched by the ‘Earth Kitsune’ hacking group, which was seen deploying the ‘WhiskerSpy’ malware against its targets. In this new campaign, the threat group used the watering hole attack tactic to infect the visitors of a pro-North Korea website.
The Earth Kitsune operators spread the WhiskerSpy malware by tricking the website visitors into installing a video codec to run a video they wanted to watch on that site. They executed this malicious process within the targeted website by compromising it with an injected malicious script.
A part of this attack involved the Earth Kitsune operators modifying an authentic codec installer to avoid being detected. Some of the new backdoor’s features include listing, downloading, uploading, and deleting files, taking screenshots, loading executables and calling exports, injecting shellcodes into a process, and equipping an interactive shell.
Site visitors from Shenyang, China, Nagoya, Japan, and Brazil are the most common targets of the WhiskerSpy malware.
Based on observations, the Brazilian site visitors were only involved in the campaign as guinea pigs, while the attackers’ real targets were those from China and Japan. A fake error prompt message will be displayed on the targets’ device screens that ask them to install the codec to watch any video from the pro-North Korea website.
Once the victims download the codec, it will deploy the malware on their machines, promptly launching the malicious activities controlled by remote operators. The attackers set up a command-and-control server to periodically receive updates from the malware and send it instructions, such as executing shell commands, stealing files, taking screenshots, and more.
In gaining persistence, Earth Kitsune exploits Google Chrome’s native messaging host and installs a malicious web app extension called ‘Google Chrome Helper,’ which allows the re-execution of the malware when the victims restart their browsers.
Security researchers are still not completely certain whether the Earth Kitsune hacking group is linked to this new campaign. However, their observed details have shown the same activities from the group’s previous campaigns that caused the researchers to attribute them to the group.
