We’re pleased to announce that the Retail & Hospitality ISAC Podcast has joined the CyberWire Podcast Network. Join host Luke Vander Linden for chats with members of the InfoSec community to discuss the latest challenges, opportunities, and best practices unique to cybersecurity in the retail and hospitality industry. Tune in & Subscribe
Trend Micro has observed a new backdoor called "WhiskerSpy" that's being used by the Earth Kitsune APT to target individuals who are interested in North Korea. The malware is distributed via watering-hole websites:
"At the end of 2022, we discovered that the website of a pro-North Korean organization was compromised and modified to distribute malware. When a targeted visitor tries to watch videos on the website, a malicious script injected by the attacker displays a message prompt notifying the victims with a video codec error to entice them to download and install a trojanized codec installer. The installer was patched to load a previously unseen backdoor, that we dubbed 'WhiskerSpy.' In addition, we also found the threat actor adopting an interesting persistence technique that abuses Google Chrome’s native messaging host."
The researchers add, "This threat is very interesting from a technical perspective. It patches the legitimate installers to hide its activities, uses lesser-known hashing algorithms to compute machine IDs and session IDs and employs ECC to protect encryption keys. In addition, the presented methods of persistence are also quite unique and rare. This shows that Earth Kitsune are proficient with their technical abilities and are continuously evolving their tools, tactics, and procedures TTPs."
Trend Micro has also published a report outlining the activities of the threat actor tracked as "Earth Yako." The threat actor has been targeting "researchers in the academe and research think tanks in Japan" since January 2022, as well as launching several attacks against entities in Taiwan. Earth Yako generally launches spearphishing attacks against researchers in various industries:
"While consistently targeting researchers, the areas of interest for Earth Yako’s deployment and targeting have varied over time. Earlier in 2022, their main targets were stakeholders related to economic security, but later expanded to target other sectors such as the energy or economic industry.
"In this campaign, Earth Yako uses a spearphishing link for initial access. The URL in the spearphishing mail downloads the compressed (.zip) or disc image (.iso) file containing a malicious shortcut file (.lnk) to download another payload. We observed several spearphishing emails masquerading as an invitation for a private or public meeting-like events, which leads to download the malware in the target system."
Trend Micro doesn't attribute Earth Yako to any particular nation-state, noting that the most recent campaign exhibits overlaps with China's APT10, Russia's APT29, and the suspected South Korean threat group Darkhotel.
Check Point is tracking a cyberespionage campaign that's targeting entities in Armenia with a new version of the OxtaRAT malware. The malware has also been used to target Azerbaijani activists and dissidents. Check Point says the malware has received updates that allow it to scan for additional devices:
"OxtaRAT, which previously had mostly local recon and surveillance capabilities, can now be used as a pivot for active reconnaissance of other devices. This may indicate that the threat actors are preparing to extend their main attack vector, which is currently social engineering, to infrastructure-based attacks. It also might be a sign that the actors are moving from targeting individuals to targeting more complex or corporate environments."
The researchers don't make any definitive attributions, but they note that the campaign's targeting is "consistent with Azerbaijani interests."
The State of Zero Trust Security: 2021 Report (Okta) Identity and access management maturity in global organizations.
Mirai Variant V3G4 Targets IoT Devices (Unit 42) We observed Mirai variant V3G4 targeting IoT devices in three separate campaigns in 2022.
Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack (Trend Micro) We discovered a new backdoor which we have attributed to the advanced persistent threat actor known as Earth Kitsune, which we have covered before. Since 2019, Earth Kitsune has been distributing variants of self-developed backdoors to targets, primarily individuals who are interested in North Korea.
Operation Silent Watch: Desktop Surveillance in Azerbaijan and Armenia (Check Point Research) Executive summary Amid rising tensions between Azerbaijan and Armenia over the Lachin corridor in late 2022, Check Point Research identified a malicious campaign against entities in Armenia. The malware distributed in this campaign is a new version of a backdoor we track as OxtaRAT, an AutoIt-based tool for remote access and desktop surveillance. Key findings: […]
Threat Intelligence on Vice Society's Dark Web Footprint (Searchlight Cyber) Today we have launched our first Ransomware Spotlight containing threat intelligence on the notorious ransomware group Vice Society.
APT SideCopy Targeting Indian Government Entities - ThreatMon : Cyber Threat Intelligence (CTI) Platform (ThreatMon : Cyber Threat Intelligence (CTI) Platform) Move over APT SideCopy, there's a new digital threat in wild. ThreatMon Malware Research team has just uncovered a new version of the ReverseRAT malware.
