North Korean Hackers Reveal the Goldbackdoor Malware
North Korea's hacking groups are among the most notorious cybercrime organizations in the world. The majority of their attacks are either financially or politically motivated. One of the latest payloads they use is called the Goldbackdoor Malware, and it appears to have been in use since March. Over the past two months, the Goldbackdoor Malware has been employed in attacks against journalist worldwide, and the primary purpose of the campaign is data theft. However, it is possible for the criminals to perform other tasks due to the nature of Goldbackdoor Malware's features.
The likely culprits behind the Goldbackdoor Malware operation are believed to be an Advanced Persistent Threat (APT) group tracked under the alias APT37. They are also well known under the name ScarCruft. The newly identified Goldbackdoor Malware has been recovered from compromised systems of South Korean journalists, and it appears to share similarities with previous ScarCruft malware such as Bluelight.
Victims of the Goldbackdoor Malware appear to be approached via cleverly crafted spear-phishing emails, which concern current trends and topics to make it more likely that the victim will fall for the bait. Furthermore, the hackers appear to have compromised legitimate email accounts to make their spam campaign more believable. One of the messages containing the Goldbackdoor Malware attachment was sent from the personal email of a former director of the National Intelligence Service of South Korea.
As for the payload, it relies on public cloud hosting services to exfiltrate data to, as well as to receive commands from. Some of the legitimate services that Goldbackdoor Malware relies on are Microsoft Azure, OneDrive, Google Docs, and Graph APIs. Attacks of this type are exceptionally dangerous, since firewall utilities might be unable to catch the malicious traffic. However, a reputable antivirus product should still be enough to terminate the Goldbackdoor Malware.