Operation Earth Kitsune: hackers target the Korean diaspora

Pierluigi Paganini October 30, 2020

Experts uncovered a new watering hole attack, dubbed Operation Earth Kitsune, targeting the Korean diaspora that exploits flaws in web browsers.

Researchers at Trend Micro have disclosed details about a new watering hole campaign, dubbed Operation Earth Kitsune, targeting the Korean diaspora that exploits flaws in web browsers such as Google Chrome and Internet Explorer to deploy backdoors.

Threat actors behind the Operation Earth Kitsune used SLUB (for SLack and githUB) malware and two new backdoors tracked as dneSpy and agfSpy to exfiltrate data from the infected systems and for taking over them.

The attacks were spotted by the researchers during the months of March, May, and September.

Attackers have deployed the spyware on websites associated with North Korea, but experts pointed out that access to these sites is blocked for visitors from South Korean IP addresses.

“The threat, which we dubbed as such due to its abuse of Slack and GitHub in previous versions, has not abused either of the platforms this time; instead, it employed Mattermost, an open-source online chat service that can be easily deployed on-premise.” reads the analysis published by Trend Micro.

Operation Earth Kitsune

This campaign, unlike other ones, deployed numerous samples (7) to the victim machines and used multiple command-and-control (C&C) servers (5), attackers also employed exploits for four N-day bugs.

Experts were investigating a strange redirection of visitors of the Korean American National Coordinating Council (KANCC) website to the Hanseattle website. Users were redirected to a weaponized version of a proof of concept (POC) for the CVE-2019-5782 Chrome vulnerability published by Google researchers. Experts discovered that the exploit was infecting the victim machine with three separate malware samples.

Operation Earth Kitsune 2

The attack chain initiates with a connection to the C&C server to receive the dropper, which once executed first checks for the presence of anti-malware solutions on the target system before delivering the three backdoor samples (in “.jpg” format) and executing them.

The attackers used Mattermost server to keep track of the deployment across multiple infected machines and to create a separate channel for each machine for data exfiltration.

The agfSpy backdoor support multiple commands to exfiltrate data, capture screenshots, enumerate directories, upload, download, and execute files.

“One interesting aspect of dneSpy’s design is its C&C pivoting behavior. The central C&C server’s response is actually the next-stage C&C server’s domain/IP, which dneSpy has to communicate with to receive further instructions.” continues the analysis.

agfSpy uses its own C&C server mechanism to receive commands that could instruct the backdoor to execute shell commands and send the execution results back to the server.

agfSpy and dneSpy are very similar except for the use of a different C&C server and various formats in message exchanges.

“Operation Earth Kitsune turned out to be complex and prolific, thanks to the variety of components it uses and the interactions between them,” the researchers concluded. “The campaign’s use of new samples to avoid detection by security products is also quite notable.”

“From the Chrome exploit shellcode to the agfSpy, elements in the operation are custom coded, indicating that there is a group behind this operation. This group seems to be highly active this year, and we predict that they will continue going in this direction for some time.”

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Operation Earth Kitsune)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment