Chinotto Spyware Targets North Korean Defectors
The Chinotto Spyware is a malicious implant that is being used by the North Korean Advanced Persistent Threat (APT) group known as ScarCruft. This state-sponsored group works in the interest of the North Korean government and, unsurprisingly, South Korean users are its primary target. The latest tool they use to aid their attacks is the Chinotto Spyware. As the name suggests, it is part of a large-scale surveillance attack campaign. The malicious payload is being delivered through spear-phishing emails, which contain an attachment that looks harmless at first sight. However, in reality, it packs an obfuscated script, which could lead to the deployment and execution of the Chinotto Spyware. Often, this attachment is a Microsoft Office document.
Chinotto Spyware Comes in Both Android and Windows Versions
Although the primary target are Windows machines, cybersecurity experts uncovered an APK file that also carries the code of the Chinotto Spyware. It appears that the North Korean hackers are trying to go after as many devices as possible. Both implants share similar features, and their primary focus is surveillance.
The Chinotto Spyware for Windows enables its operators to download and execute files, or to transfer files from the victim to the attacker's server. The criminals are also able to execute remote commands, or steal files using specific names or file extensions. The malware is also able to fetch updates for itself, or to pause its activity for a period of time – probably in an attempt to avoid analysis or detection.
The Chinotto Spyware for Android is likely to be delivered through malicious text messages that urge users to download and run an APK file. Once running, the malware can gather contact and text message information, steal files, track calls, and even record audio via the microphone.
Although the Chinotto Spyware is the product of state-sponsored threat actors, it is not that different compared to mainstream malware. It grants attackers control over most of the infected device, and can lead to a lot of unforeseen issues. Protect your devices from such intrusions by using up-to-date security software at all times.