WhiskerSpy Backdoor Linked to APT

Researchers have identified a new backdoor that has been linked to the advanced persistent threat group Earth Kitsune, a group they have previously studied. Earth Kitsune has been distributing self-developed backdoors to targets interested in North Korea since 2019. In previous cases, researchers found that the group used watering hole tactics to compromise North Korea-related websites and inject browser exploits. However, in their latest attack, the group employed social engineering tactics instead of browser exploits.

In late 2022, researchers discovered that the website of a pro-North Korean organization had been compromised to distribute malware. The attackers injected a malicious script into the website's video pages that displayed a fake error message, prompting victims to download and install a trojanized codec installer that loaded a new backdoor called "WhiskerSpy". The attackers also used a persistence technique that took advantage of Google Chrome's native messaging host.

The attackers configured the webpages to deliver the malicious script exclusively to visitors from a list of IP addresses, making it difficult to detect the attack. However, researchers found a text file on the attackers' server containing a regular expression that matched the targeted IP addresses. The researchers noted that the IP addresses in Shenyang and Nagoya were likely the real targets, while the targeted IP addresses in Brazil mostly belonged to a commercial VPN service that the attackers may have used to test their watering hole attacks. To verify the attack, researchers used the same VPN service to successfully receive the malicious script.

What is a Backdoor and How Can it Expose You to Additional Threats?

A backdoor is a type of malicious software or code that provides unauthorized access to a computer or network, bypassing normal security mechanisms. Backdoors can be used by cybercriminals to gain access to sensitive information, install additional malware or take control of a system remotely.

Once a backdoor is installed, it can leave a system open to a wide range of additional threats. For example, attackers can use the backdoor to steal login credentials, install keyloggers to capture sensitive data, or launch a ransomware attack to encrypt files on the compromised system. Backdoors can also be used to spread the malware to other systems in the network, allowing attackers to expand their reach and gain access to more sensitive data.

In addition to the potential damage caused by unauthorized access and data theft, backdoors can be difficult to detect and remove. Because they are designed to bypass normal security mechanisms, they can be hidden deep within a system's code, making them difficult to detect with standard anti-virus tools. As a result, the presence of a backdoor can leave a system vulnerable to attack for an extended period of time, even after other malware has been removed.