North Korean state hacking group APT37 targets South Korean journalists, defectors, and human rights activists in watering hole, spear-phishing emails, and smishing attacks delivering malware dubbed Chinotto capable of infecting Windows and Android devices.
APT37 (aka Reaper) has been active since at least 2012 and is an advanced persistent threat group (APT) linked to the North Korean government with high confidence by FireEye.
Other security companies also track it as StarCruft (Kaspersky Lab), Group123 (Cisco Talos), or FreeMilk (Palo Alto Networks).
The group is known for historically targeting individuals of interest to the North Korean regime, including journalists, diplomats, and government employees.
Chinotto, the malware deployed in their most recent campaign discovered by Kaspersky security researchers, allows the hacking group to control compromised devices, spy on their users via screenshots, deploy additional payloads, harvest data of interest, and upload it to attacker-controlled servers
As Kaspersky found, this backdoor was delivered onto victims’ devices months after the initial intrusions. In one case, the hackers waited as much as six months before installing Chinotto, which allowed them to exfiltrate sensitive data from the infected device.