North Korean Hackers Target Journalists with Goldbackdoor Malware

According to a report from South Korea’s NK News, a government-backed North Korean hacker group attacked an ex-intelligence officer and targeted journalists with a new type of malware dubbed Goldbackdoor.

In March 2022, a group of hackers known under the names APT37, ScarCruft, and Richochet Chollima used the personal email address of a former official of South Korea’s National Intelligence Service to spread malware to various journalists.

Stairwell cybersecurity researchers confirmed the use of Goldbackdoor, a novel virus related to the Bluelight malware. APT37 performed a similar attack in the past by using Bluelight and impersonating NK News.

The North Korean hacker group tried to compromise journalists to gain sensitive data on their sources. With that information, they could plan more attacks and continue their digital campaign in support of the North Korean regime.

What Is Goldbackdoor?

The emails that came from the former intelligence officer contained a link to a Zip file — Goldbackdoor was hidden in that file, cleverly disguised inside a Windows shortcut that executed two operations when launched.

When users double-clicked the Goldbackdoor’s shortcut, a seemingly legitimate document opens to distract the user. All the while, a Powershell script works in the background. That script injected the malware and notified the hackers when any user accesses the infected file.

Goldbackdoor is a type of malware that accepts remote commands and transfers or copies data. As the name suggests, it opens up a backdoor inside the infected computer which can be used to upload and download files, record keystrokes, and even uninstall itself from the compromised system.

Stairwell confirmed that the Goldbackdoor malware used Microsoft OneDrive and Google Drive to transfer the files. The virus was programmed to focus on document files like DOCX, TXT, PDF, MSG, and media files like MP3 and 3GP. It attempted to exfiltrate these files through cloud services.

Hacking Attempts Are On the Rise

The use of Goldbackdoor against journalists is far from being the first North Korean hacking attempt of 2022.

Google’s Threat Analysis Group reports that government-sponsored hackers from North Korea are targeting news and media organizations. In February 2022, they exploited a Chrome vulnerability before Google could patch it up. What’s even worse is that Google is already at its third major security patch of 2022.

But North Korean hacking groups are not the only cybersecurity threat we should worry about. Cloudflare was recently hit by the largest DDoS attack in history. The company managed to repel the attack this time, but it showed that hackers are better organized than ever.

Other hacker groups, like Lapsus$, are also becoming bolder, attacking tech mammoths like Microsoft. Cybercrime is on the rise and more and any security vulnerability can be leveraged to access our personal information.

Protect Your Data from Hackers

The internet is riddled with malware. Hackers and trackers are hungry for your data and private information. All it takes is to click on the wrong link and someone will record the keys you press when you type your passwords. Your bank account might be exposed and you wouldn’t even know it.

Stay safe from malware and protect your privacy with CyberGhost’s Security Suite for Windows.

CyberGhost VPN routes your online traffic through heavily encrypted servers and hides your real IP address. Hackers will have a tough time finding your real location and getting to your data. And even if they somehow manage, the military-grade 256-bit encryption key we use makes your data unreadable.

Leave a comment

Write a comment

Your email address will not be published. Required fields are marked*