Cyber security researchers keep discovering new malware. It is no different this time. Just discovered software that spies on both Windows and Android at the same time.
The software spies on Windows and Android
Malware called Chinotto has been detected by Kaspersky researchers. They believe it is being used by a cybercriminal known as ScarCraft to track North Korean defectors and journalists covering North Korea-related news.
See also: Here is the most popular movie on Netflix – I don’t understand its phenomenon
One of the victims’ hardware was infected with PowerShell malware. Evidence was discovered that the malware had stolen her data and he had been under surveillance for several months. It has also attempted to send spear-phishing emails to collaborators of victims working in companies related to North Korea, using stolen credentials.
Additional malware was detected based on findings from the victim machine. Cyber criminals used three types of malware with similar functions: versions implemented in PowerShell, Windows executables, and Android applications. While they are designed for different platforms, they share a similar command and control scheme based on HTTP communication. Therefore, malware operators can control the entire malware family with a single set of command and control scripts.
The APT operator controls the malware via a PHP script on the compromised web server and controls the implants based on HTTP parameters. The researchers also managed to obtain several log files from the compromised servers. From these files, additional victims in South Korea and infected web servers that had been used by ScarCruft from the beginning of 2021 were identified. In addition, older variants of malware delivered via HWPs dating back to mid-2020 were detected.
An exemplary attack process
Before spear phishing a potential victim and sending a malicious document, the cybercriminal contacted the victim’s friendusing a stolen Facebook account. The scammer already knew the potential target had a North Korean business and inquired about its current state. After talking on social media, he sent the potential victim a spear phishing email using the stolen email account. It has taken advantage of its attacks using stolen login credentials such as Facebook and personal email accounts to display a high level of sophistication.
After talking on Facebook the potential target received a spear-phishing email from a scammer. It contains a password protected RAR archive with the password shown in the body of the email. RAR file contains malicious Word document.
This document contains a malicious macro and payload for the multi-step infection process. The first stage macro creates another macro as the second stage. If no antivirus software is installed, the macro goes directly to the next stage payload decryption. To achieve this, it uses a variation of the substitution method. The script compares the provided encrypted string with the second string to get an index of the matching characters. Then it gets the decrypted character with the index obtained from the first string. Eventually, the infection reaches notepad.exe.
Source: securelist, techradar