APT37, the North Korean state-sponsored hackers known as Ricochet Chollima, have been targeting journalists with a novel malware strain. The group attacked news outlets, attempting to identify the journalists’ sources. A threat research team at Stairwell have researched the attacks and found a new malware sample called “Goldbackdoor” and believe the attacks are initiated through a phishing email that came from the account of the former director of South Korea’s National Intelligence Service (NIS). The emails sent to the journalists included a link to download ZIP archives that contained LNK files, both named ‘Kang Min-chol edits’. Kang Min-chol is North Korea’s Minister of Mining Industries. Both attachments contained malicious code that helps execute the Goldbackdoor malware. Goldbackdoor is executed as a Portable Executable (PE) file and can accept basic commands remotely and exfiltrate data. The malware uses legitimate cloud services to perform this exfiltration.
Journalists are a common target for state-sponsored hackers. Identifying sources of journalists can provide a wealth of intelligence, as well as help nation state actors identify individuals with sensitive access. With the world focused on preventing Russian cyber-attacks and deterring attacks on Ukrainian infrastructure, it is possible there will be a spike in attacks from other nation state actors, such as APT37. Additionally, if Russia does decide to conduct a large-scale cyber-attack on the West, they may rely on other nation states to carry them out to avoid taking full responsibility of an attack.