skip to Main Content

Cyber Espionage, North Korea’s APT37 spread Chinotto to monitor opponents

Kaspersky: North Korea’s APT37 spread Chinotto to monitor opponents. The malware has been implemented in PowerShell, Windows and Android. The infection vector are spear phishing emails.

North Korea’s APT37 (aka StarCruft and Temp.Reaper) is spying defectors, journalists and activists with a malware dubbed Chinotto. It has been discovered by Kaspersky cybersecurity experts. The cyber espionage group exploits three types of malicious code with similar functionalities: versions implemented in PowerShell, Windows executables and Android applications. Although intended for different platforms, they share a similar command and control scheme based on HTTP communication. Therefore, the operators can control the whole malware family through one set of command and control scripts. The infection vectors are spear phishing emails sent by a stolen account and with a lure document on Pyongyang. It’s a password-protected RAR archive with the password shown in the email body, containing a Word file with a malicious macro and a payload for a multi-stage infection process.


Back To Top