The North Korea-linked group is deploying the Chinotto spyware backdoor against dissidents, journalists and other politically relevant individuals in South Korea.
The North Korea-linked ScarCruft advanced persistent threat (APT) group has developed a fresh, multiplatform malware family for attacking North Korean defectors, journalists and government organizations involved in Korean Peninsula affairs.
Since 2019, ScarCruft (aka APT37 or Temp.Reaper) has been using spyware dubbed Chinotto to target victims for espionage purposes, according to an analysis from Kaspersky, although the code only recently came to the attention of researchers.
Chinotto is triple-pronged, with the ultimate double-pronged goal of surveilling victims across mobile and desktop.
“The actor utilized three types of malware with similar functionalities: Versions implemented in PowerShell, Windows executables and Android applications,” researchers noted in a Monday blog posting. “Although intended for different platforms, they share a similar command-and-control scheme based on HTTP communication. Therefore, the malware operators can control the whole malware family through one set of command-and-control scripts.”
ScarCruft specifically controls the malware using a PHP script on a compromised web server, directing the binaries based on HTTP parameters.
Inside the Chinotto Backdoor
Chinotto has various tricks up its sleeve, researchers said, including detection evasion