Panasonic discloses data breach after network hack
IKEA email systems hit by ongoing cyberattack
APT37 targets journalists with Chinotto multi-platform malware
Stealthy WIRTE hackers target governments in the Middle East
This Cyber Monday deal helps prepare for a career in Cyber Security
Dark web market Cannazon shuts down after massive DDoS attack
This portable 4K touchscreen monitor is just $232 for Cyber Monday
Stealthy WIRTE hackers target governments in the Middle East
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
APT37 targets journalists with Chinotto multi-platform malware
North Korean state hacking group APT37 targets South Korean journalists, defectors, and human rights activists in watering hole, spear-phishing emails, and smishing attacks delivering malware dubbed Chinotto capable of infecting Windows and Android devices.
APT37 (aka Reaper) has been active since at least 2012 and is an advanced persistent threat group (APT) linked to the North Korean government with high confidence by FireEye.
Other security companies also track it as StarCruft (Kaspersky Lab), Group123 (Cisco Talos), or FreeMilk (Palo Alto Networks). 
The group is known for historically targeting individuals of interest to the North Korean regime, including journalists, diplomats, and government employees.
Chinotto, the malware deployed in their most recent campaign discovered by Kaspersky security researchers, allows the hacking group to control compromised devices, spy on their users via screenshots, deploy additional payloads, harvest data of interest, and upload it to attacker-controlled servers
As Kaspersky found, this backdoor was delivered onto victims’ devices months after the initial intrusions. In one case, the hackers waited as much as six months before installing Chinotto, which allowed them to exfiltrate sensitive data from the infected device.
“We suspect this host was compromised on March 22, 2021. [..] The malware operator later delivered the Chinotto malware in August 2021 and probably started to exfiltrate sensitive data from the victim,” Kaspersky said.
“Based on what we found from this victim, we can confirm that the malware operator collected screenshots and exfiltrated them between August 6, 2021 and September 8, 2021.”
Chinotto is highly customizable malware, as shown by many variants found while analyzing the campaign, sometimes several payloads deployed on the same infected devices.
“The malware authors keep changing the capabilities of the malware to evade detection and create custom variants depending on the victim’s scenario,” the researchers said.
The malware’s Windows and Android variants use the same command-and-control communication pattern and send the stolen info to web servers located mainly in South Korea.
As the Android variants request for extended permissions on compromised devices, once granted, Chinotto can use them to collect large amounts of sensitive data, including the victims’ contacts, text messages, call logs, device info, and even audio recordings.
If it also finds and steals the victim’s credentials, it allows APT37 operators to reach out to other targets using the stolen credentials via email and social media.
“To sum up, the actor targeted victims with a probable spear-phishing attack for Windows systems and smishing for Android systems. The actor leverages Windows executable versions and PowerShell versions to control Windows systems,” Kaspersky concluded.
“We may presume that if a victim’s host and mobile are infected at the same time, the malware operator is able to overcome two-factor authentication by stealing SMS messages from the mobile phone.”
A New North Korean Hacker Group Is Making a Name for Itself
Windows Finger command abused by phishing to download malware
North Korean cyberspies target govt officials with custom malware
Report Ties North Korean Attacks to New Malware, Linked by Word Macros
Stealthy new JavaScript malware infects Windows PCs with RATs
Not a member yet? Register Now
New Windows 10 zero-day gives admin rights, gets unofficial patch
Customize the Windows 11 experience with these free apps
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

FBI warns of increased use of cryptocurrency ATMs, QR codes for fraud

Ukraine links members of Gamaredon hacker group to Russian FSBSamsung Galaxy S21…

US universities targeted by Office 365 phishing attacks

Grafana fixes zero-day vulnerability after exploits spread over TwitterGoogle disrupts massive Glupteba…

All Log4j, logback bugs we know so far and why you MUST ditch 2.15

TellYouThePass ransomware revived in Linux, Windows Log4j attacksGoogle Calendar now lets you…

Conti ransomware uses Log4j bug to hack VMware vCenter servers

TellYouThePass ransomware revived in Linux, Windows Log4j attacksCredit card info of 1.8…