Cybersecurity researchers have disclosed details about a new watering hole attack targeting the Korean diaspora that exploits vulnerabilities in web browsers such as Google Chrome and Internet Explorer to deploy malware for espionage purposes.
Dubbed "Operation Earth Kitsune" by Trend Micro, the campaign involves the use of SLUB (for SLack and githUB) malware and two new backdoors — dneSpy and agfSpy — to exfiltrate system information and gain additional control of the compromised machine.
The attacks were observed during the months of March, May, and September, according to the cybersecurity firm.
Watering hole attacks allow a bad actor to compromise a targeted business by compromising a carefully selected website by inserting an exploit with an intention to gain access to the victim's device and infect it with malware.
Operation Earth Kitsune is said to have deployed the spyware samples on websites associated with North Korea, although access to these websites is blocked for users originating from South Korean IP addresses.
A Diversified Campaign
Although previous operations involving SLUB used the GitHub repository platform to download malicious code snippets onto the Windows system and post the results of the execution to an attacker-controlled private Slack channel, the latest iteration of the malware has targeted Mattermost, a Slack-like open-source collaborative messaging system.
"The campaign is very diversified, deploying numerous samples to the victim machines and using multiple command-and-control (C&C) servers during this operation," Trend Micro said. "In total, we found the campaign using five C&C servers, seven samples, and exploits for four N-day bugs."
Designed to skip systems that have security software installed on them as a means to thwart detection, the attack weaponizes an already patched Chrome vulnerability (CVE-2019-5782) that allows an attacker to execute arbitrary code inside a sandbox via a specially-crafted HTML page.
Separately, a vulnerability in Internet Explorer (CVE-2020-0674) was also used to deliver malware via the compromised websites.
dneSpy and agfSpy — Fully Functional Espionage Backdoors
The difference in the infection vector notwithstanding, the exploit chain proceeds through the same sequence of steps — initiate a connection with the C&C server, receive the dropper, which then checks for the presence of anti-malware solutions on the target system before proceeding to download the three backdoor samples (in ".jpg" format) and executing them.
Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.RESERVE YOUR SEAT
What's changed this time around is the use of Mattermost server to keep track of the deployment across multiple infected machines, in addition to creating an individual channel for each machine to retrieve the collected information from the infected host.
Of the other two backdoors, dneSpy, and agfSpy, the former is engineered to amass system information, capture screenshots, and download and execute malicious commands received from the C&C server, the results of which are zipped, encrypted, and exfiltrated to the server.
"One interesting aspect of dneSpy's design is its C&C pivoting behavior," Trend Micro researchers said. "The central C&C server's response is actually the next-stage C&C server's domain/IP, which dneSpy has to communicate with to receive further instructions."
agfSpy, dneSpy's counterpart, comes with its own C&C server mechanism that it uses to fetch shell commands and send the execution results back. Chief among its features include the capability to enumerate directories and list, upload, download, and execute files.
"Operation Earth Kitsune turned out to be complex and prolific, thanks to the variety of components it uses and the interactions between them," the researchers concluded. "The campaign's use of new samples to avoid detection by security products is also quite notable."
"From the Chrome exploit shellcode to the agfSpy, elements in the operation are custom coded, indicating that there is a group behind this operation. This group seems to be highly active this year, and we predict that they will continue going in this direction for some time."