A state-backed threat actor, with ties the Democratic People’s Republic of Korea(DRPK), has been attributed a spear-phishing attack targeting journalists with the goal of deploying a backdoor to infected Windows system systems.
The intrusions were believed to have been the work of Ricochet Chollima. They resulted the infiltration of a new malware strain named GOLDBACKDOOR. This artifact shares technical overlaps and is similar to another malware called BLUELIGHT that was previously connected to the group.
“Journalists are high-value targets for hostile governments,” cybersecurity firm Stairwell said in a report published last week. “Compromising a journalist can provide access to highly-sensitive information and enable additional attacks against their sources. “
Ricochet Chollima, also known as APT37, InkySquid, and ScarCruft, is a North Korean-nexus targeted intrusion adversary that has been involved in espionage attacks since at least 2016. This threat actor is known for targeting North Korea, with an emphasis on academics, defectors and government officials.
In November 2021, Kaspersky unearthed evidence of the hacking crew delivering a previously undocumented implant called Chinotto as part of a new wave of highly-targeted surveillance attacks, while other prior operations have made use of a remote access tool called BLUELIGHT.
Stairwell’s investigation into the campaign comes weeks after NK News disclosed that the lure messages were sent from a personal email address belonging to a former South Korean intelligence official, ultimately leading to the deployment of the backdoor in a multi-stage infection process to evade detection.
The email messages were found to contain a link to download a ZIP archive from a remote server designed to impersonate the North Korea-focused news portal. The file also contains a Windows shortcut file which acts as an intermediary to the PowerShell script. This opens a decoy file and installs the GOLDBACKDOOR backdoor.
The implant, for its part, is fashioned as a Portable Executable file that’s capable of retrieving commands from a remote server, uploading and downloading files, recording files, and remotely uninstalling itself from the compromised machines.
“Over the past 10 years, the Democratic People’s Republic of Korea DPRK has adopted cyber operations as a key means of supporting the regime,” Stairwell’s Silas Cutler said.
“While significant attention has been paid to the purported use of these operations as a means of funding DPRK’s military programs, the targeting of researchers, dissidents, and journalists likely remains a key area for supporting the country’s intelligence operations. “