Sophisticated hackers believed to be linked to the North Korean government are actively targeting journalists with new malware dubbed Goldbackdoor. The attacks have consisted of a multi-stage infection campaign with the ultimate goal of stealing sensitive information from the targets.
These threat actors allegedly the work of Ricochet Chollima target journalists because they are a valuable target for hostile governments.
Ricochet Chollima, also known as APT37InkySquid and ScarCruft is a North Korean nexus-led intruder who has been involved in espionage attacks since at least 2016. The threat actor has a history of attacking the Republic of Korea, with a prominent focus on North Korean government officials, non-governmental organizations, academics, journalists, and defectors.
It is worth noting that this is not the first time that APT37 has been linked to malware campaigns targeting journalists, the most recent being a November 2021 report employing the highly customizable “Chinotto” backdoor.
Goldbackdoor runs as a PE (portable executable) file and can remotely accept basic commands and exfiltrate data and for this, it comes with a set of API keys that it uses to authenticate to Azure and retrieve commands for execution. These commands are related to keylogging, file operations, basic RCE, and the ability to uninstall.
Also, it is noteworthy that the malware uses legitimate cloud services for file exfiltration, and Stairwell noted the abuse of Google Drive and Microsoft OneDrive, the files Goldbackdoor targets are mainly documents and media, such as PDF, DOCX, MP3 , TXT, M4A, JPC, XLS, PPT, BIN, 3GP and MSG.
