Sophisticated hackers believed to be tied to the North Korean government are actively targeting journalists with novel malware dubbed Goldbackdoor. Attacks have consisted of multistage infection campaign with the ultimate goal of stealing sensitive information from targets. The campaign is believed to have started in March and is ongoing, researchers have found.
Researchers at Stairwell followed up on an initial report from South Korea’s NK News, which revealed that a North Korean APT known as APT37 had stolen info from the private computer of a former South Korean intelligence official. The threat actor–also known as Ricochet Collima, InkySquid, Reaper or ScarCruft—attempted to impersonate NK News and distributed what appeared to be a novel malware in an attempt to target journalists who were using the official as a source, according to the report.
NK News passed details to Stairwell for further investigation. Researchers from the cybersecurity firm uncovered specific details of the malware, called Goldbackdoor. The malware is likely a successor of the Bluelight malware, according to a report they published late last week.
“The Goldbackdoor malware shares strong technical overlaps with the Bluelight malware,” researchers wrote. “These overlaps, along with the suspected shared development resource and impersonation of NK News, support our attribution of Goldbackdoor to APT37.”
APT37 was previously seen using Bluelight as a secondary payload last August in a series of watering hole attacks against a South Korean newspaper that used known Internet Explorer vulnerabilities.
As Stairwell researchers noted, journalists are “high-value targets for hostile governments,” and often the target of cyber-espionage attacks. In fact, one of the biggest security stories of last year was various governments’ use of the NGO Group’s Pegasus spyware against journalists, among other targets.
“[Journalists] often are aggregators of stories from many individuals–sometimes including those with sensitive access,” Stairwell researchers wrote. “Compromising a journalist can provide access to highly-sensitive information and enable additional attacks against their sources.”
Multi-Stage Malware
The current campaign saga unfolded beginning March 18, when NK News shared “multiple malicious artifacts with the Stairwell threat research team from a spear-phishing campaign targeting journalists who specialize in the DPRK,” researchers wrote. The messages were sent from the personal email of a former director of South Korea’s National Intelligence Service, NIS.
“One of these artifacts was a new malware sample we have named Goldbackdoor, based on an embedded development artifact,” they wrote.
Goldbackdoor is a multi-stage malware that separates the first stage tooling and the final payload, which allows the threat actor to halt deployment after initial targets are infected, researchers said.
“Additionally, this design may limit the ability to conduct retrospective analysis once payloads are removed from control infrastructure,” they wrote in the report.
The malware, like Bluelight before it, uses cloud service providers for receiving actor commands and exfiltrating data. The sample specifically analyzed by researchers used Microsoft OneDrive and Graph APIs, while an additional identified sample SHA256 hash used Google Drive.
Embedded within the malware are a set of API keys used to authenticate against Microsoft’s cloud computing platform Azure and retrieve commands for execution, researchers said.
“Goldbackdoor provides attackers with basic remote command execution, file downloading/uploading, keylogging, and the ability to remotely uninstall,” they wrote. “This functionality and implementation closely match Bluelight; however, the increased focus appears to have been placed on file collection and keylogging.”
Stage One
Goldbackdoor is a sophisticated malware that researchers broke down into two stages. In stage one, a victim must download a ZIP file from a compromised site, https[:]//main[.]dailynk[.]us/regex?id=oTks2&file=Kang Min-chol Edits2.zip, which executes a compressed Windows shortcut.
“The domain dailynk[.]us was likely chosen to impersonate NK News (dailynk[.]com),” researchers said, and had been previously used by APT37 in a previous campaign.
Stairwell researchers retrieved the ZIP file for analysis from a DNS history of the site, which had stopped resolving already by the time of their investigation. They identified that the file was created on March 17 and contained a 282.7 MB Windows shortcut file LNK named Kang Min-chol Edits, likely a reference to Kang Min-chol, North Korea’s Minister of Mining Industries.
“The attackers masqueraded this shortcut as a document, using both the icon for Microsoft Word and adding comments similar to a Word document,” researchers wrote.
They also padded the LNK file 0x90, or NOP/No Operation, bytes to artificially increase the size of this file, potentially as a means of preventing upload to detection services or malware repositories they said.
Once executed, the LNK executes a PowerShell script that writes and opens a decoy document before starting the deployment process of Goldbackdoor, researchers said.
Stage Two
After deploying the decoy document, the PowerShell script decodes a second PowerShell script that then will download and execute a shellcode payload XOR—named “Fantasy” stored on Microsoft OneDrive.
That Fantasy payload is the second stage of the malware’s process, and the first of a two-part final process for deploying Goldbackdoor, researchers said.
“Both parts are written in position-independent code (shellcode) containing an embedded payload, and use process injection to deploy Goldbackdoor,” they wrote.
Fantasy parses and decodes the payload and uses a standard process involving VirtualAllocEx,WriteProcessMemory, and RtlCreateUserThread to spawn a thread under the previously created process in order to execute it, researchers said.
The final dropper is a shellcode payload running as that thread in a process created by Fantasy to execute the final deployment of the malware.
“The payload delivered by this stage is a Windows Portable Executable PE file for Goldbackdoor,” researchers wrote.