Table of Contents
Recently a new backdoor was discovered by researchers targeting individuals who show interest in North Korea. The victims were visitors to a pro-North Korea website. The attacker group behind this has been targeting victims since 2019. The threat group is using the watering hole attack method to compromise North Korean related websites, and browser exploits will be injected into them.
We will walk through what is the new WhiskerSpy Backdoor, who is behind these attacks, and what is a watering hole attack in this post.
What is Watering Hole Attack?
The term watering hole attack comes from hunting. Instead of going and finding prey for hunting, the hunter waits for where the prey might come from. It can be most commonly a body of water- the watering hole.
In this case of cyber attack, instead of finding the users or victims, the attacker infects the website where the victims are supposed to visit. These infected websites will eventually compromise the user’s system and might reach the user’s workplace.
If the attacker is not targeting the victim directly, then let’s see how the attackers are executing this attack.
Identifying a website that the victim might visit more frequently
These targeted websites will be of low security and popular with the victims
The targeted site will be compromised, and a malicious code payload will be injected
When this site is visited by the victim, the payload is triggered, and the system will be infected
This exploit payload can be anything. It may be automatic or generate a prompt before downloading
Once the payload is successfully deployed, the attackers can access the information from the compromised system.
Credits: Tech Target
What is The New WhiskerSpy Backdoor and Who is Behind This Attack?
By the end of 2022, it was discovered that many of the North Korean sites had been compromised and modified by injecting malicious codes into the website. When the targeted victims visited the website, a prompt appeared showing a video codec error and leading to downloading and installing a tokenized codec installer. This installer was configured to load a new backdoor, ‘the WhiskerSpy Backdoor’. The threat actor was also observed achieving persistence by abusing chromes native messaging host.
The WhiskerSpy infection chain. Source: Trend Micro
The attacker group behind these attacks is identified to be an advanced persistent threat actor known as Earth Kitsune. This group has been active since 2019, doing multiple malicious activities, developing and distributing backdoors, especially targeting the people interested in North Korea.
Technical Analysis
By the end of 2022, Trend Micro researchers observed that a malicious code was injected into the video pages of a pro-North Korean website. The site showed an error message redirecting the victims to install a malicious payload that is camouflaged as an Advanced Video Codec – AVC1.
Source: Trend Micro
This attack was targeted only to some users, i.e., if the visitor is not from the targeted IP addressed, the pop-up with malicious payload won’t appear. This made it more difficult to identify the attack. The targeted victim Ip’s are mainly from China, Japan, and Brazil.
The patched installer file is an MSI file that contains another NSIS installer. The attacker abused a legitimate installer (windows.10.codec.pack.v2.1.8.setup.exe) and patched malicious shell code into it. This shell code can additionally download different stages of malware by running several PowerShell commands.
The attacker tried to maintain persistence through multiple methods like using one drive side loading vulnerabilities, using malicious google chrome extensions, etc. The main backdoor loader was named as WhiskerSpy.
WhiskerSpy- The Main Payload
WhiskerSpy exchanges the encryption key between the server and client using elliptic-curve cryptography (ECC). Some of the implemented backdoor commands are:
interactive shell
downloading file
uploading file
deleting the file
listing the files
taking screenshots
load the executable and call its export
inject shellcode into the processThis back door generates a random 16-byte AES key for communicating with the command-and-control server.
MITRE ATT&CK Identifiers
T1005 (Data from Local System)
T1027 (Obfuscated Files or Information)
T1036 (Masquerading)
T1037.005 (Startup Items)
T1055 (Process Injection)
T1059.001 (PowerShell)
T1083 (File and Directory Discovery)
T1105 (Ingress Tool Transfer)
T1106 (Native API)
T1113 (Screen Capture)
T1176 (Browser Extensions)
T1185 (Browser Session Hijacking)
T1189 (Drive-by Compromise)
T1190 (Exploit Public-Facing Application)
T1204.002 (Malicious File)
T1485 (Data Destruction)
T1573 (Encrypted Channel)
Please find the IOCs here
SHA 256
| CE7016067C97421E3050FA8BD7F1950E0707E6DEEAC20003F5F30F1C58F435BC | Trojan.JS.SLUB.A |
| 1C24D9013B3EAE373FC28D40F9E475E1DD22C228E8F1E539ED9229E21807839D | Trojan.Win32.SLUB.AA |
| 076BA1135B2F9F4DBC38E306DC533AF71B311C1DC98788C18253448FCA096C46 | Trojan.Win32.SLUB.AA |
| 371CFA10A7262438E5BC0694BA5628EB21E044DC8173710DF51826DAFA11E300 | Trojan.Win32.SLUB.B |
| E01399D47CDA45F1AF496FA460F20620A5B08C39714875FE292A5FC3D1C7A215 | Trojan.Win32.SLUB.B |
| 6F0A0AC477C73C2533A39CB3D8FBF45365761D11B7368460964A4572E91C5FCB | Trojan.Win64.SLUB.B |
| C357E572DD7C618C54F8333313266A8A9CF07C1038D6B2F711CDBAE714BC2654 | Trojan.JS.SLUB.A |
| 902902B5457C6945C2B3878521D23D05D448DE179D19761C718FB67C15A4BCC0 | Trojan.Win64.SLUB.B |
| 20C214D58CCFB5AD797F1A02667078D182629AC7E157162566C123519E039D55 | Trojan.Win32.SLUB.B |
| 3D62E122E31D7929E76633773D752B8BEE31462BB79CB5B8B7C6952341E93482 | Trojan.Win32.SLUB.B |
| 66C8E0ACFE030C4EEC474CD75C4D831601DAE3EF4E1CEF78B624DE3C346C186D | Trojan.Win32.SLUB.B |
| C78CB41F4FB4E5F5476EB2C1414F138643494C2B8ABE2CF539FAFC54199E2AEF | Trojan.Win32.SLUB.B |
| FBAC7B40A12970CDCC36F48945BEB83BF9461F14C59CB8106AD8E43E5D22A970 | Trojan.Win32.SLUB.B |
| 7365F661AD9E558FDD668D3563E0A1B85CCF1A543BE51CB942DB508F9CCBCF5E | Trojan.Win32.SLUB.B |
| 3D4107C738B46F75C5B1B88EF06F82A5779DDD830527C9BECC951080A5491F13 | Backdoor.Win64.WHISKERSPY.A |
| 84E9BCC055225BD50534147E355834325B97AD948C3A10D792928B48C56C1712 | Backdoor.Win64.WHISKERSPY.A |
| EFFA1AE32DBCF6BC64A5025BCA4F4C41572439B69EDD58B5F78952A407CEB5DF | Backdoor.Win32.WHISKERSPY.A |
Domain
| microsoftwindow[.]sytes[.]net |
| updategoogle[.]servehttp[.]com |
| londoncity[.]hopto[.]org |
| windowsupdate[.]sytes[.]net |
| florida[.]serveblog[.]net |
| googlemap[.]hopto[.]org |
| liveupdate[.]servepics[.]com |
| chromecast[.]hopto[.]org |
| googlemap[.]serveblog[.]net |
| selectorioi[.]ddns[.]net |
| rs[.]myftp[.]biz |
Conclusion
This is a very interesting attack the technologies used in this attack are IP address, Cryptography, JavaScript, etc., and the attack vectors include Shell Code, Social Engineering, and Watering hole attack. These kinds of attacks can be prevented by creating proper defense-in-depth technologies and educating users not to fall for such attacks.
I hope this article helped you learn more about the new WhiskerSpy Backdoor, who is behind these attacks, and what is a watering hole attack. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
Aroma Rose Reji
Aroma is a cybersecurity professional with more than four years of experience in the industry. She has a strong background in detecting and defending cyber-attacks and possesses multiple global certifications like eCTHPv2, CEH, and CTIA. She is a pet lover and, in her free time, enjoys spending time with her cat, cooking, and traveling. You can connect with her on LinkedIn.
- April 18, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 18, 2024
