APT37, the North Korean state-sponsored hackers known as Ricochet Chollima, have been targeting journalists with a novel malware strain. The group attacked news outlets, attempting to identify the journalists’ sources. A threat research team at Stairwell have researched the attacks and found a new malware sample called “Goldbackdoor” and believe the attacks are initiated through a phishing email that came from the account of the former director of South Korea’s National Intelligence Service (NIS). The emails sent to the journalists included a link to download ZIP archives that contained LNK files, both named ‘Kang Min-chol edits’. Kang Min-chol is North Korea’s Minister of Mining Industries. Both attachments contained malicious code that helps execute the Goldbackdoor malware. Goldbackdoor is executed as a Portable Executable (PE) file and can accept basic commands remotely and exfiltrate data. The malware uses legitimate cloud services to perform this exfiltration.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased