Threat Research

Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack

Securonix

Trend Micro researchers attribute a new backdoor to the Earth Kitsune threat group, delivered via a watering hole operation and social engineering. The campaign blends patched installers, Chrome native messaging persistence, ECC-based cryptography for C2, and a multi-stage loader to deploy the WhiskerSpy backdoor. Hashtags: #EarthKitsune #WhiskerSpy

Keypoints

  • Earth Kitsune is credited with a new backdoor named WhiskerSpy and continues targeting North Korea–related interests.
  • The delivery uses watering hole techniques on pro-North Korean sites, this time aided by social engineering rather than browser exploits.
  • Victims are lured by a fake video codec error prompting installation of a trojanized codec installer, which patches a legitimate MSI/NSIS installer to drop WhiskerSpy.
  • The patched installer adds a new .odata section and decrypts shellcode to download additional stages, then restores the original entry point.
  • Persistence is achieved via Google Chrome native messaging hosts and via a Chrome extension (Background.js, NativeApp.exe) to run on browser startup.
  • WhiskerSpy uses ECC (secp256r1) for key exchange and AES for session encryption, with machine/session IDs derived from SMBIOS UUIDs and Murmur3 hashes.

MITRE Techniques

  • [T1189] Drive-by Compromise – Drive-by/watering hole approach: β€œβ€¦watering hole tactics by compromising websites related to North Korea and injecting browser exploits.”
  • [T1204.002] User Execution: Malicious File – Victims are enticed to download a trojanized codec installer via a fake error prompt.
  • [T1059.001] PowerShell – Shellcode runs several PowerShell commands to download additional stages of malware.
  • [T1105] Ingress Tool Transfer – The shellcode downloads additional loaders/content from the delivery server.
  • [T1027] Obfuscated/Compressed Files and Information – The shellcode is encrypted with a simple key (XOR 0x01).
  • [T1055] Process Injection – The shellcode injects into the werfautl.exe process.
  • [T1071.001] Web Protocols – C2 communications use HTTP POST (machine ID, session ID) for command and control.
  • [T1573] Encrypted Channel – ECC-based key exchange and encrypted payloads used for C2 communication.

Indicators of Compromise

  • [IP Address] Targeted IPs and testing – 45.76.62.198, 172.93.201.172
  • [Domain] Infrastructure domains used by the campaign – londoncity.hopto.org, updategoogle.servehttp.com, microsoftwindow.sytes.net, rs.myftp.biz
  • [Domain] Additional resolver/test domains – selectorioi.ddns.net
  • [File] Patched installers and payloads – windows.10.codec.pack.v2.1.8.setup.exe (hash e82e1fb775a0181686ad0d345455451c87033cafde3bd84512b6e617ace3338e), Bg.jpg, Help.jpg, Favicon.jpg

Read more: https://www.trendmicro.com/en_us/research/23/b/earth-kitsune-delivers-new-whiskerspy-backdoor.html