APT37 Unleashes Chinotto Malware

North Korean defectors, journalists, and entities in South Korea are being targeted in on by a nation state sponsored APT tracked as ScarCruft, also known as APT37 aka Reaper Group

The actor utilized three types of malware with similar functionalities: versions implemented in PowerShell, Windows executables and Android applications,although intended for different platforms, they share a similar command and control scheme based on HTTP communication. The malware operators can control the whole malware family through one set of command and control scripts.

ScarCruft is known for targeting public and private sectors situated in South Korea with an aim to plunder sensitive information stored in the compromised systems, and has been previously observed using a Windows based backdoor called RokRAT.

The primary initial infection vector used by APT37 is spear-phishing, in which the actor sends an email to a target that is weaponized with a malicious document.

The Threat actor reached out to the victim’s associates and acquaintances using stolen Facebook account credentials to establish initial contact, only to follow it up with a spear phishing email enclosing a password-protected RAR archive that includes a Word document. This decoy document claims to be about “North Korea’s latest situation and our national security.”

Opening the Microsoft Office document triggers the execution of a macro and the decryption of the next-stage payload embedded within the document. The payload, a VBA, contains a shellcode that, in turn, retrieves from a remote server the final-stage payload with backdoor capabilities.

The operators managed to collect screenshots, before deploying a fully-featured malware called Chinotto in late August to control the device and exfiltrate sensitive information to a C2 server.

Chinotto comes with its own Android variant to achieve the same goal of spying on its users. The malicious APK file, delivered to the recipients via a smishing attack, prompts users to grant it a wide range of permissions during the installation phase, enabling the app to amass contact lists, messages, call logs, device information, audio recordings, and data stored in apps such as Huawei Drive, Tencent WeChat (aka Weixin), and KakaoTalk.

Many journalists, defectors and human rights activists are targets of sophisticated cyberattacks. Unlike corporations, these targets typically don’t have sufficient tools to protect against and respond to highly skilled surveillance attacks.

Indicators of compromise

• baa9b34f152076ecc4e01e35ecc2de18
• 7d5283a844c5d17881e91a5909a5af3
• e9e13dd4434e2a2392228712f73c98ef
• 00df5bbac9ad059c441e8fef9fefc3c1
• 04ddb77e44ac13c78d6cb304d71e2b86
• 55afe67b0cd4a01f3a9a6621c26b1a499
• 3bcbf59ac14e14c1c39a18d8ddf28ee
• c7c3b03108f2386022793ed29e621343
• 5a7ef48fe0e8ae65733db64ddb7f2478
• b06c203db2bad2363caed1c0c11951ae
• f08d7f7593b1456a087eb9922507c743
• 0dd115c565615651236fffaaf736e377
• d8ad81bafd18658c52564bbdc89a7db2
• 71b63d2c839c765f1f110dc898e79d67
• c9fb6f127ca18a3c2cf94e405df67f51
• 3490053ea54dfc0af2e419be96462b08
• cba17c78b84d1e440722178a97886bb7
• 56f3d2bcf67cf9f7b7d16ce8a5f8140a

Payload hosting URLs

hxxps://api[.]onedrive[.]com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBalVyZDlodU1wUWNjTGt4bXhBV0pjQU1ja2M_ZT1mUnc4VHg/root/content
hxxp://www[.]djsm.co[.]kr/js/20170805[.]hwp

Command and control server

hxxp://luminix[.]openhaja[.]com/bbs/data/proc1/proc[.]php
hxxp://luminix[.]kr/bbs/data/proc/proc[.]php
hxxp://kjdnc[.]gp114[.]net/data/log/do[.]php
hxxp://kumdo[.]org/admin/cont/do[.]php
hxxp://haeundaejugong[.]com/editor/chinotto/do[.]php
hxxp://haeundaejugong[.]com/data/jugong/do[.]php
hxxp://doseoul[.]com/bbs/data/hnc/update[.]php
hxxp://hz11[.]cn/jquery-ui-1[.]10[.]4/tests/unit/widget/doc/pu[.]php