A zip attachment contains a img with an exe: the malware. The other, a pdf downloading a zip with an exe: the same malware. The data is exfiltrated via SMTP.
Cyber Espionage, APT37 targets journalists with Goldbackdoor
APT37 targets journalists with Goldbackdoor. Stairwell cybersecurity experts: The new North Korea’s malware spread via messages sent from the personal email of a former director of South Korea’s National Intelligence Service (NIS)
Goldbackdoor is the last malware used by APT37 (aka Ricochet Collima, InkySquid, Reaper and ScarCruft) in a cyber espionage operation against journalists. It has been discovered by Stairwell cybersecurity experts. The North Korea’s APT attempted to impersonate NK News and distributed the new malware with spear-phishing campaigns targeting journalists who specialize in the DPRK. These messages were sent from the personal email of a former director of South Korea’s National Intelligence Service (NIS), previously compromised by the malicious hackers. Moreover, researchers assess with medium-high confidence that GOLDBACKDOOR is the successor of, or used in parallel with, the malware BLUELIGHT, also attributed to APT37.