WhiskerSpy malware deployed via watering hole attack

BleepingComputer reports that the advanced persistent threat group Earth Kitsune has launched a watering hole attack aimed at deploying the novel WhiskerSpy backdoor. Earth Kitsune has compromised a pro-North Korea website to deliver the WhiskerSpy malware through a video codec that needs to be installed before site visitors could watch videos on the website, according to a report from Trend Micro. Only site visitors with IP addresses from Nagoya, Japan, Shenyang, China, and Brazil have been targeted by the website, with Brazil likely used for watering hole attack testing, said researchers. With WhiskerSpy, threat actors could gain interactive shell, file download, upload, deletion, and listing, screenshot capturing, executable loading, and shellcode injection capabilities. Meanwhile, persistence is achieved through the exploitation of Google Chrome's native messaging host to facilitate the installation of the malicious Google Chrome Helper extension. While the WhiskerSpy backdoor observed in the latest attack leverages HTTP for communication with the command-and-control server, an earlier version was noted by Trend Micro to have used the FTP protocol.