At a glance.
- Earth Kitsune uses watering-hole attacks to deliver new backdoor.
- Earth Yako targets researchers in Japan.
- Suspected Azerbaijani threat actor targets Armenia.
Earth Kitsune uses watering-hole attacks to deliver new backdoor.
Trend Micro has observed a new backdoor called "WhiskerSpy" that's being used by the Earth Kitsune APT to target individuals who are interested in North Korea. The malware is distributed via watering-hole websites:
"At the end of 2022, we discovered that the website of a pro-North Korean organization was compromised and modified to distribute malware. When a targeted visitor tries to watch videos on the website, a malicious script injected by the attacker displays a message prompt notifying the victims with a video codec error to entice them to download and install a trojanized codec installer. The installer was patched to load a previously unseen backdoor, that we dubbed 'WhiskerSpy.' In addition, we also found the threat actor adopting an interesting persistence technique that abuses Google Chrome’s native messaging host."
The researchers add, "This threat is very interesting from a technical perspective. It patches the legitimate installers to hide its activities, uses lesser-known hashing algorithms to compute machine IDs and session IDs and employs ECC to protect encryption keys. In addition, the presented methods of persistence are also quite unique and rare. This shows that Earth Kitsune are proficient with their technical abilities and are continuously evolving their tools, tactics, and procedures TTPs."
Earth Yako targets researchers in Japan.
Trend Micro has also published a report outlining the activities of the threat actor tracked as "Earth Yako." The threat actor has been targeting "researchers in the academe and research think tanks in Japan" since January 2022, as well as launching several attacks against entities in Taiwan. Earth Yako generally launches spearphishing attacks against researchers in various industries:
"While consistently targeting researchers, the areas of interest for Earth Yako’s deployment and targeting have varied over time. Earlier in 2022, their main targets were stakeholders related to economic security, but later expanded to target other sectors such as the energy or economic industry.
"In this campaign, Earth Yako uses a spearphishing link for initial access. The URL in the spearphishing mail downloads the compressed (.zip) or disc image (.iso) file containing a malicious shortcut file (.lnk) to download another payload. We observed several spearphishing emails masquerading as an invitation for a private or public meeting-like events, which leads to download the malware in the target system."
Trend Micro doesn't attribute Earth Yako to any particular nation-state, noting that the most recent campaign exhibits overlaps with China's APT10, Russia's APT29, and the suspected South Korean threat group Darkhotel.
Suspected Azerbaijani threat actor targets Armenia.
Check Point is tracking a cyberespionage campaign that's targeting entities in Armenia with a new version of the OxtaRAT malware. The malware has also been used to target Azerbaijani activists and dissidents. Check Point says the malware has received updates that allow it to scan for additional devices:
"OxtaRAT, which previously had mostly local recon and surveillance capabilities, can now be used as a pivot for active reconnaissance of other devices. This may indicate that the threat actors are preparing to extend their main attack vector, which is currently social engineering, to infrastructure-based attacks. It also might be a sign that the actors are moving from targeting individuals to targeting more complex or corporate environments."
The researchers don't make any definitive attributions, but they note that the campaign's targeting is "consistent with Azerbaijani interests."