Objective: to block the partial mobilization against Ukraine, hitting logistics and communications. The group is part of IT Army of Ukraine.
Kaspersky: North Korea’s APT37 spread Chinotto to monitor opponents. The malware has been implemented in PowerShell, Windows and Android. The infection vector are spear phishing emails.
North Korea’s APT37 (aka StarCruft and Temp.Reaper) is spying defectors, journalists and activists with a malware dubbed Chinotto. It has been discovered by Kaspersky cybersecurity experts. The cyber espionage group exploits three types of malicious code with similar functionalities: versions implemented in PowerShell, Windows executables and Android applications. Although intended for different platforms, they share a similar command and control scheme based on HTTP communication. Therefore, the operators can control the whole malware family through one set of command and control scripts. The infection vectors are spear phishing emails sent by a stolen account and with a lure document on Pyongyang. It’s a password-protected RAR archive with the password shown in the email body, containing a Word file with a malicious macro and a payload for a multi-stage infection process.