Security News > 2022 > April > North Korean Hackers Target Journalists with GOLDBACKDOOR Malware
A state-backed threat actor with ties to the Democratic People's Republic of Korea has been attributed to a spear-phishing campaign targeting journalists covering the country with the ultimate goal of deploying a backdoor on infected Windows systems.
The threat actor has a track record of targeting the Republic of Korea with a noted focus on government officials, non-governmental organizations, academics, journalists, and North Korean defectors.
In November 2021, Kaspersky unearthed evidence of the hacking crew delivering a previously undocumented implant called Chinotto as part of a new wave of highly-targeted surveillance attacks, while other prior operations have made use of a remote access tool called BLUELIGHT. Stairwell's investigation into the campaign comes weeks after NK News disclosed that the lure messages were sent from a personal email address belonging to a former South Korean intelligence official, ultimately leading to the deployment of the backdoor in a multi-stage infection process to evade detection.
Embedded within the file is a Windows shortcut file that acts as a jumping-off point to execute the PowerShell script, which opens a decoy document while simultaneously installing the GOLDBACKDOOR backdoor.
The implant, for its part, is fashioned as a Portable Executable file that's capable of retrieving commands from a remote server, uploading and downloading files, recording files, and remotely uninstalling itself from the compromised machines.
"While significant attention has been paid to the purported use of these operations as a means of funding DPRK's military programs, the targeting of researchers, dissidents, and journalists likely remains a key area for supporting the country's intelligence operations."
News URL
https://thehackernews.com/2022/04/north-korean-hackers-target-journalists.html
Related news
- North Korean Hackers Targeting Developers with Malicious npm Packages (source)
- Japan warns of malicious PyPi packages created by North Korean hackers (source)
- Chinese Hackers Exploiting Ivanti VPN Flaws to Deploy New Malware (source)
- Hackers Exploit ConnectWise ScreenConnect Flaws to Deploy TODDLERSHARK Malware (source)
- Hackers target Docker, Hadoop, Redis, Confluence with new Golang malware (source)
- Magnet Goblin hackers use 1-day flaws to drop custom Linux malware (source)
- Hackers exploit WordPress plugin flaw to infect 3,300 sites with malware (source)
- Hackers leverage 1-day vulnerabilities to deliver custom Linux malware (source)
- Hackers abuse Windows SmartScreen flaw to drop DarkGate malware (source)
- Hackers exploit Windows SmartScreen flaw to drop DarkGate malware (source)