Skip to main content

Recently a new backdoor was discovered by researchers targeting individuals who show interest in North Korea. The victims were visitors to a pro-North Korea website. The attacker group behind this has been targeting victims since 2019. The threat group is using the watering hole attack method to compromise North Korean related websites, and browser exploits will be injected into them.

We will walk through what is the new WhiskerSpy Backdoor, who is behind these attacks, and what is a watering hole attack in this post.

What is Watering Hole Attack?

The term watering hole attack comes from hunting. Instead of going and finding prey for hunting, the hunter waits for where the prey might come from. It can be most commonly a body of water- the watering hole.

In this case of cyber attack, instead of finding the users or victims, the attacker infects the website where the victims are supposed to visit. These infected websites will eventually compromise the user’s system and might reach the user’s workplace.

If the attacker is not targeting the victim directly, then let’s see how the attackers are executing this attack.

  1. Identifying a website that the victim might visit more frequently
  2. These targeted websites will be of low security and popular with the victims
  3. The targeted site will be compromised, and a malicious code payload will be injected
  4. When this site is visited by the victim, the payload is triggered, and the system will be infected
  5. This exploit payload can be anything. It may be automatic or generate a prompt before downloading
  6. Once the payload is successfully deployed, the attackers can access the information from the compromised system.
How watering hole attacks work?
Credits: Tech Target

What is The New WhiskerSpy Backdoor and Who is Behind This Attack?

By the end of 2022, it was discovered that many of the North Korean sites had been compromised and modified by injecting malicious codes into the website. When the targeted victims visited the website, a prompt appeared showing a video codec error and leading to downloading and installing a tokenized codec installer. This installer was configured to load a new backdoor, ‘the WhiskerSpy Backdoor’. The threat actor was also observed achieving persistence by abusing chromes native messaging host.

 WhiskerSpy Backdoor
The WhiskerSpy infection chain. Source: Trend Micro

The attacker group behind these attacks is identified to be an advanced persistent threat actor known as Earth Kitsune. This group has been active since 2019, doing multiple malicious activities, developing and distributing backdoors, especially targeting the people interested in North Korea.

Technical Analysis

By the end of 2022, Trend Micro researchers observed that a malicious code was injected into the video pages of a pro-North Korean website. The site showed an error message redirecting the victims to install a malicious payload that is camouflaged as an Advanced Video Codec – AVC1.

Technical Analysis of WhiskerSpy Backdoor
Source: Trend Micro

This attack was targeted only to some users, i.e., if the visitor is not from the targeted IP addressed, the pop-up with malicious payload won’t appear. This made it more difficult to identify the attack. The targeted victim Ip’s are mainly from China, Japan, and Brazil.

See Also How To Fix CVE-2021-35003(4)- A Remote Code Execution Vulnerability On TP-Link Products

The patched installer file is an MSI file that contains another NSIS installer. The attacker abused a legitimate installer (windows.10.codec.pack.v2.1.8.setup.exe) and patched malicious shell code into it. This shell code can additionally download different stages of malware by running several PowerShell commands.

The attacker tried to maintain persistence through multiple methods like using one drive side loading vulnerabilities, using malicious google chrome extensions, etc. The main backdoor loader was named as WhiskerSpy.

WhiskerSpy- The Main Payload

WhiskerSpy exchanges the encryption key between the server and client using elliptic-curve cryptography (ECC). Some of the implemented backdoor commands are:

  • interactive shell
  • downloading file
  • uploading file
  • deleting the file
  • listing the files
  • taking screenshots
  • load the executable and call its export
  • inject shellcode into the processThis back door generates a random 16-byte AES key for communicating with the command-and-control server.

MITRE ATT&CK Identifiers

  • T1005 (Data from Local System)
  • T1027 (Obfuscated Files or Information)
  • T1036 (Masquerading)
  • T1037.005 (Startup Items)
  • T1055 (Process Injection)
  • T1059.001 (PowerShell)
  • T1083 (File and Directory Discovery)
  • T1105 (Ingress Tool Transfer)
  • T1106 (Native API)
  • T1113 (Screen Capture)
  • T1176 (Browser Extensions)
  • T1185 (Browser Session Hijacking)
  • T1189 (Drive-by Compromise)
  • T1190 (Exploit Public-Facing Application)
  • T1204.002 (Malicious File)
  • T1485 (Data Destruction)
  • T1573 (Encrypted Channel)


Please find the IOCs here

SHA 256





This is a very interesting attack the technologies used in this attack are IP address, Cryptography, JavaScript, etc., and the attack vectors include Shell Code, Social Engineering, and Watering hole attack. These kinds of attacks can be prevented by creating proper defense-in-depth technologies and educating users not to fall for such attacks.

Leave a Reply