Named Chinotto, the malware was discovered by researchers at Kaspersky, who believe it is being used by a state-sponsored threat actor known as ScarCraft to keep tabs on North Korean defectors, journalists who cover North Korea-related news, and others.
“The actor utilized three types of malware with similar functionalities: versions implemented in PowerShell, Windows executables and Android applications….Therefore, the malware operators can control the whole malware family through one set of command and control scripts,” note the researchers.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
The investigations revealed that the threat actor distributed the malware through a spear-phishing attack, which they perpetrated after compromising acquaintances of the victim using stolen social media or email credentials.
The investigations revealed that, while the current campaign began some time in March 2021, there were several older variants of the malware dating back to mid-2020.
After compromising a host, the threat actors unleashed multiple malware strains to gain control over the host. Interestingly, in one instance, they waited a good six months after compromising a host before deploying Chinotto.
Based on their analysis of Chinotto, the researchers believe that it not only enables attackers to spy on their victims via screenshots, but can also give them the ability to control the compromised devices, open a backdoor to exfiltrate data, and install additional malware.
Furthermore, the investigation revealed that the attackers fiddle around with the capabilities of the malware in what appears to be an attempt to thwart traditional signature-based detection.