North Korean Hackers Target Journalists With Malware

The state-sponsored North Korean hackers APT37, also known as Ricochet Chollima, target journalists with Goldbackdoor malware.

According to NK News, the malicious software spreads through phishing attacks. Emails to journalists included a link to download ZIP archives of LNK files, both named ‘Kang Min-chol edits.’ Kang Min-chol is North Korea’s Minister of Mining Industries.

The Goldbackdoor malware runs as a PE file (portable executable) and can remotely accept basic commands and exfiltrate data. It also has a number of API keys that can be used to authenticate to Azure and recover commands to execute.

To exfiltrate files, the malware uses legitimate cloud services such as Google Drive and Microsoft OneDrive. Files targeted by the malware are mainly documents and media such as PDF, DOCX, MP3, TXT, M4A, JPC, XLS, PPT, BIN, 3GP and MSG.

The campaign uses a two-stage infection process that gave the threat actors more deployment versatility. It also made it harder for analysts to capture payloads.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web