APT37, the North Korean state-sponsored hackers known as Ricochet Chollima, have been targeting journalists with a novel malware strain. The group attacked news outlets, attempting to identify the journalists’ sources. A threat research team at Stairwell have researched the attacks and found a new malware sample called “Goldbackdoor” and believe the attacks are initiated through a phishing email that came from the account of the former director of South Korea’s National Intelligence Service (NIS). The emails sent to the journalists included a link to download ZIP archives that contained LNK files, both named ‘Kang Min-chol edits’. Kang Min-chol is North Korea’s Minister of Mining Industries. Both attachments contained malicious code that helps execute the Goldbackdoor malware. Goldbackdoor is executed as a Portable Executable (PE) file and can accept basic commands remotely and exfiltrate data. The malware uses legitimate cloud services to perform this exfiltration.
North Korean Hackers Targeting Journalists with Novel Malware
- Garrett Thompson
- April 26, 2022
- 3:39 pm
ANALYST NOTES
Journalists are a common target for state-sponsored hackers. Identifying sources of journalists can provide a wealth of intelligence, as well as help nation state actors identify individuals with sensitive access. With the world focused on preventing Russian cyber-attacks and deterring attacks on Ukrainian infrastructure, it is possible there will be a spike in attacks from other nation state actors, such as APT37. Additionally, if Russia does decide to conduct a large-scale cyber-attack on the West, they may rely on other nation states to carry them out to avoid taking full responsibility of an attack.
https://www.bleepingcomputer.com/news/security/north-korean-hackers-targeting-journalists-with-novel-malware/
Subscribe to Threat Watch
Daily summaries of threats, delivered straight to your inbox!
Stay informed with cybersecurity news and analyst recommendations.