The Advanced Persistent Threat (APT) actor tracked as Earth Kitsune was seen utilizing a watering hole attack to spread a new backdoor malware.
Researchers at TrendMicro have been tracking the relatively new APT group when it appeared in 2019, distributing self-developed backdoors primarily to targets showing an interest in North Korea. Most recently detected was the backdoor dubbed as WhiskerSpy, which researchers believe to be associated with Earth Kitsune because of the backdoors similar operations methods, techniques and victimology.
The APT group uses the watering hole attack to infect targets with the malware. A watering hole attack features an attacker compromising a legitimate website(s) that is likely to be visited by the targeted group, with the hopes of infecting the target through exploit kits, vulnerabilities or drive-by downloads. For the WhiskerSpy malware, a pro-North Korean website was compromised and modified to infect specific victims. When a target attempts to watch videos on the said website, a malicious script displays a message prompt stating that a video codec error occurred and prompts the user to download and install a malicious Advanced Video Codec (AVC1) installer. The malicious script targets victims with IP addresses located in Shenyang, China, Nagoya, Japan and Brazil. The researchers found that the IP addresses in Brazil belonged to a commercial VPN which suggests that the threat actors used this VPN service to test their watering hole attack.
The AVC1 installer file is a Microsoft Software Installer (MSI) that wraps another Nullsoft Scriptable Install System (NSIS) installer. The threat actors modified a legitimate installer (windows.10.codec.pack.v2.1.8.setup.exe) to include their malicious shellcode. The shellcode executes several PowerShell commands that download and drop the stealthy backdoor WhiskerSpy.
For persistence, the installer drops the file bg.jpg under the name vcruntime140.dll in the Microsoft OneDrive directory. It injects the embedded payload into the werfautl.exe process and acts as the loader of the main backdoor malware. This exploits Microsoft OneDrives side-loading vulnerabilities where fake DLLs are placed in the OneDrive directory to achieve persistence. The installer also drops several malicious Google Chrome extensions including a Google Chrome extension installer (installer.exe), a native messaging host (NativeApp.exe), and some Chrome extension files (background.js, manifest.json, and icon.png). The native messaging host communicates with Chrome extensions using standard input and standard output. The background.js file adds a listener on the device that sends the inject command to the native messaging host, which effectively acts as a unique method of persistence, since the malicious payload is executed every time the Chrome browser is started.
A shellcode Help.jpg is dropped by the installer that is responsible for loading the main backdoor malware WhiskerSpy. The WhiskerSpy malware has the following capabilities:
load executable and call its export
inject shellcode into a process
The backdoor uses a 16-byte Advanced Encryption Standard (AES) key for encryption communication with its command and control (C2) server. The malware would periodically check the C2 server for updates and instructions.
Indicators of Compromise
For a list of SHA-256 hashes of the installer, backdoor dropper, WhiskerSpy and the C2 domains, refer to the following link below:
Given the APT groups use of the watering hole attack to compromise their targets, it is recommended to:
Raise awareness of these types of attacks – Educate users of compromised websites and how it might attempt to infect your devices through social engineering, vulnerabilities or drive-by downloads.
Keep systems and antivirus software up to date – Watering hole attacks can exploit vulnerabilities in your software to compromise your devices. Keeping software updated regularly with the latest security patches can significantly help reduce the risk of an attack.
Monitor network and web traffic – It is recommended to monitor all incoming and outgoing web traffic and network activity for abnormalities that could indicate an attack or compromise.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
Toulas, B. (2023, February 18). New WhiskerSpy malware delivered via trojanized codec installer. Retrieved from the BleepingComputer. https://www.bleepingcomputer.com/news/security/new-whiskerspy-malware-delivered-via-trojanized-codec-installer/
Chen, J. and Horejsi, J. (2023, February 17). Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack. Retrieved from Trend Micro. https://www.trendmicro.com/en_us/research/23/b/earth-kitsune-delivers-new-whiskerspy-backdoor.html