APT-C-28 has upgraded its tools, making it even harder to protect valuable data.
Security experts from the 360 Threat Intelligence Center recently identified a new wave of attacks by the North Korean group APT-C-28, also known as ScarCruft and APT37. These attacks targeted government agencies and large businesses in South Korea.
During the investigation, it was found that the attackers sent phishing emails on behalf of popular Korean banks and retail chains. The emails contained malicious attachments in the form of ZIP and RAR archives.
Experts analyzed the contents of the archives and found several types of forged documents in Korean to attract the attention of victims, including questionnaires and forms for collecting personal data. In addition, the archives included malicious LNK, BAT, and CHM files to run the Chinotto malware.
Chinotto is an advanced backdoor developed by APT-C-28 hackers. After running on an infected computer, the malware establishes a hidden communication channel with the attackers remote server and waits for commands. Hackers can send commands to Chinotto to collect intelligence, download files from the victim's computer, or install additional malicious modules.
According to the researchers, the APT-C-28 hacker group demonstrates a high degree of professionalism and regularly upgrades its tools. For example, in the current wave of attacks in Chinotto, functionality was added to collect additional data about the system, as well as new methods to hide traces of their activities. In addition, the same malware was distributed in different ciphers and encodings.
Experts recommend that organizations and private users comply with information security measures — do not run suspicious files from unverified sources, use antivirus software, and regularly update the software.
Security experts from the 360 Threat Intelligence Center recently identified a new wave of attacks by the North Korean group APT-C-28, also known as ScarCruft and APT37. These attacks targeted government agencies and large businesses in South Korea.
During the investigation, it was found that the attackers sent phishing emails on behalf of popular Korean banks and retail chains. The emails contained malicious attachments in the form of ZIP and RAR archives.
Experts analyzed the contents of the archives and found several types of forged documents in Korean to attract the attention of victims, including questionnaires and forms for collecting personal data. In addition, the archives included malicious LNK, BAT, and CHM files to run the Chinotto malware.
Chinotto is an advanced backdoor developed by APT-C-28 hackers. After running on an infected computer, the malware establishes a hidden communication channel with the attackers remote server and waits for commands. Hackers can send commands to Chinotto to collect intelligence, download files from the victim's computer, or install additional malicious modules.
According to the researchers, the APT-C-28 hacker group demonstrates a high degree of professionalism and regularly upgrades its tools. For example, in the current wave of attacks in Chinotto, functionality was added to collect additional data about the system, as well as new methods to hide traces of their activities. In addition, the same malware was distributed in different ciphers and encodings.
Experts recommend that organizations and private users comply with information security measures — do not run suspicious files from unverified sources, use antivirus software, and regularly update the software.
