"North Korean Hackers Targeting Journalists with Novel Malware"

Ricochet Chollima is a North Korean state-sponsored hacking group, also known as APT37, that has been targeting journalists covering the country. The group has been delivering a novel malware strain called Goldbackdoor to journalists through phishing attacks. The phishing emails came from the account belonging to the former director of South Korea's National Intelligence Service (NIS), who APT37 previously compromised. The campaign goes through a two-stage infection process, giving the threat actors more deployment versatility and making it difficult for analysts to sample payloads. The emails sent to journalists include a link to download ZIP archives containing LNK files, both named after Kang Min-chol, North Korea's Minister of Mining Industries. The LNK file (Windows shortcut) uses a document icon to disguise itself. It also uses padding to artificially increase its size to 282.7 MB, thus preventing easy uploads to Virus Total and other online detection tools. When executed, a PowerShell script is launched, and a decoy document is opened for distraction as a second script is decoded in the background. The decoy document has an embedded external image hosted on the Heroku platform that alerts the threat actors when the document is viewed. The second script downloads and executes a shellcode payload called Fantasy, stored on Microsoft OneDrive, which is unlikely to generate AV alerts. According to malware experts at Stairwell, Fantasy is the first of two Goldbackdoor deploying mechanisms, both of which rely on stealthy process injection. This article continues to discuss the APT37 hacking group's targeting of journalists with Goldbackdoor malware. 

Bleeping Computer reports "North Korean Hackers Targeting Journalists with Novel Malware"