A new backdoor malware named WhiskerSpy has been identified by cybersecurity researchers. The malware was used in a watering hole attack (https://en.wikipedia.org/wiki/Watering_hole_attack), which involves targeting individuals who visit a specific website, in this case, a pro-North Korea site. The campaign was carried out by Earth Kitsune, a relatively new advanced threat actor that has been known for targeting individuals with an interest in North Korea.
The researchers found that the threat actor targeted visitors to the website from Shenyang, China, Nagoya, Japan, and Brazil. It is believed that Brazil was used only for testing the watering hole attack using a VPN connection, and the real targets were visitors from the two cities in China and Japan.
How does the malware work
WhiskerSpy is a backdoor malware that was delivered through a watering hole attack, which involves targeting individuals who visit a specific website. Here’s a step-by-step breakdown of how the malware works:
- The threat actor identifies a pro-North Korea website and compromises it.
- The attacker injects a malicious script into the website that asks visitors to install a video codec to watch videos on the site.
- The attacker modifies a legitimate codec installer to load the backdoor malware onto the victim’s system.
- When the victim tries to install the codec, the malware is executed and installs itself on the victim’s system as a shellcode.
- The malware uses two persistence techniques to ensure it remains active on the victim’s system:
- It abuses the native messaging host in Google Chrome and installs a malicious Google Chrome extension called Google Chrome Helper. This extension allows the payload to execute every time the browser starts.
- It leverages OneDrive side-loading vulnerabilities to drop a malicious file called “vcruntime140.dll” in the OneDrive directory.
- Once installed, WhiskerSpy periodically connects to a command and control (C2) server using a 16-byte AES key for encryption.
- The C2 server provides updates and instructions to the malware, such as executing shell commands, injecting code into another process, exfiltrating specific files, or taking screenshots.
- The backdoor gives remote operators access to the victim’s system, including the ability to execute shell commands, upload or download files, take screenshots, and inject shellcode into a process.
Overall, the attacker used a tried and tested method of a watering hole attack to target individuals with an interest in North Korea. They used a modified legitimate codec installer to deliver WhiskerSpy, a backdoor malware that provides the attacker with remote access to the victim’s system. The malware uses persistence techniques to ensure it remains active on the victim’s system and periodically connects to a C2 server for updates and instructions.
Although the researchers are moderately confident in attributing this attack to Earth Kitsune, the targets and modus operandi are similar to activities previously associated with the group. The researchers urge individuals and organizations to be vigilant and take appropriate measures to secure their systems against such attacks.
Threat Summary
| Name | WhiskerSpy |
| Type | Backdoor malware |
| Related files | Modified codec installer, MSI executable, Google Chrome extension “Google Chrome Helper”, OneDrive file “vcruntime140.dll” |
| Detection names | Backdoor.Agent.WhiskerSpy, Backdoor.BDS/Agent.kiixf, Trojan/Win32.Sabsik, A Variant Of Win64/Agent.BYU, Backdoor.Win32.Agent.myuhrz, RDN/Generic BackDoor, Backdoor.Win64.WHISPERSPY.A, Trojan:Win32/Tiggre!rfn |
| Distribution | Watering hole attack through a compromised pro-North Korea website |
| Symptoms | Unusual codec installation prompts, malicious Google Chrome Helper extension, suspicious OneDrive file |
| Damage | Allows remote access to victim’s system, can execute shell commands, upload/download files, take screenshots, inject shellcode into a process, etc. |
| Removal | Use a reputable antivirus or antimalware software to scan and remove the malware; delete any suspicious files or extensions on the system; take steps to improve system security, such as updating software and using strong passwords. |
Examples of malicious programs
On the Internet, users can come across many malicious programs that perform various malicious actions. Among them there are such as WlndowsDraiver Virus, Altruistics Virus, Winlogson.exe malware, Trojan Wacatac, although, of course, there are many more. Some of them collect user data, others install malware on computers, and still others add infected computers to botnets, and so on. In any case, each malicious program (adware, browser hijacker, trojan, worm, …) is a huge threat to both user privacy and computer security. Therefore, malicious programs must be removed immediately after detection; using an infected computer is very dangerous.
Finish words
Here are some final recommendations to prevent infection from the WhiskerSpy and other malware:
Keep your operating system and software up to date
Regularly check for updates to your operating system and other software to ensure that you have the latest security patches and features.
Use a reputable antivirus software
Install and regularly update antivirus software to help protect your system from malware.
Be cautious of suspicious emails and downloads
Avoid opening emails from unknown or untrusted sources, and only download software from reputable sources.
Be mindful of what you click
Avoid clicking on links or downloading attachments from suspicious emails or websites.
Use a strong password
Use a strong, unique password for all of your accounts and change them regularly.
Enable firewalls
Enable firewalls on all of your devices to help prevent unauthorized access to your system.
Regularly back up your data
Regularly back up your important data to prevent data loss in case of malware infection or other system failure.
By following these recommendations, you can help protect your computer from WhiskerSpy and other malware, and keep your personal and financial information secure. If you need more help with WhiskerSpy malware related issues, go to here.
