Trendmicro discovered a new backdoor which they have attributed to the advanced persistent threat actor known as Earth Kitsune, which they have covered before. Since 2019, Earth Kitsune has been distributing variants of self-developed backdoors to targets, primarily individuals who are interested in North Korea. In many of the cases, they have investigated in the past, the threat actor used watering hole tactics by compromising websites related to North Korea and injecting browser exploits into them. In the latest activity they analyze here, Earth Kitsune used a similar tactic but instead of using browser exploits, employed social engineering instead.
MALWARE FAMILIES: Kitsune, WhiskerSpy
ATT&CK IDS: T1055 - Process Injection, T1189 - Drive-by Compromise, T1176 - Browser Extensions, T1106 - Native API, T1059 - Command and Scripting Interpreter, T1566 - Phishing