Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor.html\"><br \/>\n<meta property=\"og:title\" content=\"Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack\"><br \/>\n<meta property=\"og:description\" content=\"We discovered a new backdoor which we have attributed to the advanced persistent threat actor known as Earth Kitsune, which we have covered before. Since 2019, Earth Kitsune has been distributing variants of self-developed backdoors to targets, primarily individuals who are interested in North Korea.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/ek-whisker-spy-641-cover.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack\"><br \/>\n<meta name=\"twitter:description\" content=\"We discovered a new backdoor which we have attributed to the advanced persistent threat actor known as Earth Kitsune, which we have covered before. Since 2019, Earth Kitsune has been distributing variants of self-developed backdoors to targets, primarily individuals who are interested in North Korea.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/ek-whisker-spy-641-cover.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.305651672434\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"693290173\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"10.8\">\n<div class=\"article-details\" role=\"heading\" readability=\"41.236363636364\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">APT & Targeted Attacks<\/p>\n<p class=\"article-details__description\">We discovered a new backdoor which we have attributed to the advanced persistent threat actor known as Earth Kitsune, which we have covered before. Since 2019, Earth Kitsune has been distributing variants of self-developed backdoors to targets, primarily individuals who are interested in North Korea.<\/p>\n<p class=\"article-details__author-by\">By: Joseph C Chen, Jaromir Horejsi <time class=\"article-details__date\">February 17, 2023<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"38.76248049922\">\n<div readability=\"24.884555382215\">\n<p>We discovered a new backdoor which we have attributed to the <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cyber-attacks\/operation-earth-kitsune-tracking-slub-s-current-operations\">advanced persistent threat actor known as Earth Kitsune<\/a>, which we have covered before. Since 2019, Earth Kitsune has been distributing variants of self-developed backdoors to targets, primarily individuals who are interested in North Korea. In many of the cases, we have investigated in the past, the threat actor used watering hole tactics by compromising websites related to North Korea and injecting browser exploits into them. In the latest activity we analyze here, Earth Kitsune used a similar tactic but instead of using browser exploits, employed social engineering instead.<\/p>\n<p>At the end of 2022, we discovered that the website of a pro-North Korean organization was compromised and modified to distribute malware. When a targeted visitor tries to watch videos on the website, a malicious script injected by the attacker displays a message prompt notifying the victims with a video codec error to entice them to download and install a trojanized codec installer. The installer was patched to load a previously unseen backdoor, that we dubbed \u201cWhiskerSpy.\u201d In addition, we also found the threat actor adopting an interesting persistence technique that abuses Google Chrome\u2019s native messaging host.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"6bef03\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-1.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-1.png\" alt=\"Figure 1. The WhiskerSpy infection chain\"> <\/a><figcaption>Figure 1. The WhiskerSpy infection chain<\/figcaption><\/figure>\n<\/p><\/div>\n<div readability=\"6.7977272727273\">\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p>In this blog post, we are going to reveal the infection chain and technical details of the WhiskerSpy backdoor employed by Earth Kitsune.<\/p>\n<p>At the end of 2022, we noticed that a pro-North Korean website had a malicious script injected in their video pages. The script showed a popup window with a fake error message, designed to entice victims to install a malicious package disguised as an Advanced Video Codec – AVC1.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"fe8bc0\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-2.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-2.png\" alt=\"Figure 2. Social engineering attack prompt on a compromised pro-North Korean website\"> <\/a><figcaption>Figure 2. Social engineering attack prompt on a compromised pro-North Korean website<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36\">\n<div readability=\"17\">\n<p>The webpages were configured to deliver the malicious script only to visitors from a list of targeted IP addresses (visitors that did not have these IP addresses would not receive the malicious payload). This configuration makes the attack difficult to discover. Fortunately, we managed to find a text file on the threat actor\u2019s server containing a regular expression matching the targeted IP addresses. These include:<\/p>\n<ol>\n<li>An IP address subnet located in Shenyang, China<\/li>\n<li>A specific IP address located in Nagoya, Japan<\/li>\n<li>An IP address subnet located in Brazil<\/li>\n<\/ol>\n<p>The IP addresses in Shenyang and Nagoya are likely to be their real targets. However, we found the targeted IP addresses in Brazil mostly belonged to a commercial VPN service. We believe that the threat actor used this VPN service to test the deployment of their watering hole attacks. It also provided us with an opportunity to verify the watering hole attack by using the same VPN service to successfully receive the malicious script.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"aa2c2f\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-3.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-3.png\" alt=\"Figure 3. A comparison of the webpage content between the original page (left) and the page with the injected script (right)\"> <\/a><figcaption>Figure 3. A comparison of the webpage content between the original page (left) and the page with the injected script (right)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>The website loads a malicious JavaScript (popup.js) with the following redirection code:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"f5ca5f\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-4.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-4.png\" alt=\"Figure 4. Embedded JavaScript redirecting to a malicious installer download\"> <\/a><figcaption>Figure 4. Embedded JavaScript redirecting to a malicious installer download<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.203629032258\">\n<div readability=\"10.401209677419\">\n<p>The installer file is an <a href=\"https:\/\/en.wikipedia.org\/wiki\/Windows_Installer\">MSI installer<\/a> that wraps another <a href=\"https:\/\/nsis.sourceforge.io\/Download\">NSIS installer<\/a>. The threat actor abused a legitimate installer (windows.10.codec.pack.v2.1.8.setup.exe \u2013 e82e1fb775a0181686ad0d345455451c87033cafde3bd84512b6e617ace3338e) and patched it to include malicious shellcode. The patch includes an increased number of sections, from 5 to 6 (red brackets in Figure 5) and increased image size to create extra room for the malicious shellcode (green brackets in Figure 5).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"7cf35e\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-5.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-5.png\" alt=\"Figure 5. Original (above) and patched (below) installer. Sizes for certain parameters are increased and one more section is added in the patched version\"> <\/a><figcaption>Figure 5. Original (above) and patched (below) installer. Sizes for certain parameters are increased and one more section is added in the patched version<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"7c2312\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-6.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-6.png\" alt=\"Figure 6. Newly added .odata section in the patched installer\"> <\/a><figcaption>Figure 6. Newly added .odata section in the patched installer<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>The entry point of the patched installer is changed to immediately jump to the shellcode. The shellcode is encrypted with a simple key (XOR 0x01).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"ec78e3\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-7.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-7.png\" alt=\"Figure 7. The entry point of the patched installer jumps into the code in the .odata section\"> <\/a><figcaption>Figure 7. The entry point of the patched installer jumps into the code in the .odata section<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>After decryption, the shellcode runs several PowerShell commands to download additional stages of malware. These files are executable files with a few hundred bytes from the beginning XORed with one-byte key.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"68b192\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-8.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-8.png\" alt=\"Figure 8. Shellcode in the .odata section calls several PowerShell commands to download additional loaders\"> <\/a><figcaption>Figure 8. Shellcode in the .odata section calls several PowerShell commands to download additional loaders<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>It then restores the original entry point (15 bytes in total) to ensure that the original installer runs as expected.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"009fa7\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-9.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-9.png\" alt=\"Figure 9. Shellcode in the .odata section restores the original entry point of the installer\"> <\/a><figcaption>Figure 9. Shellcode in the .odata section restores the original entry point of the installer<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36.5\">\n<div readability=\"18\">\n<h2><span class=\"body-subhead-title\"><\/span><\/h2>\n<p>This contains the path \\microsoft\\onedrive\\vcruntime140.dll, which is the location where another downloaded file (bg.jpg) gets dropped under the name vcruntime140.dll.<\/p>\n<h2><span class=\"body-subhead-title\"><\/span><\/h2>\n<p>This is a patched version of vcruntime140.dll (Microsoft C Runtime library). In this instance, the function memset was patched, as seen in Figures 10 and 11. The return from function (retn) was replaced with a jump to overlay (in the newly adde .odata section), where an injected code reads bytes from the overlay, XORs them with a 1-byte key and injects the embedded payload into the werfautl.exe process. The shellcode in the overlay is a loader of the main backdoor.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"1cac0b\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-10.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-10.png\" alt=\"Figure 10. The original memset function. Note that the instruction at address 0x18000C7D1 is return (retn)\"> <\/a><figcaption>Figure 10. The original memset function. Note that the instruction at address 0x18000C7D1 is return (retn)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"f3e1d2\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-11.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-11.png\" alt=\"Figure 11. The patched memset function. Note that the instruction at address 0x18000C7D1 is jump (jmp) to overlay with the shellcode\"> <\/a><figcaption>Figure 11. The patched memset function. Note that the instruction at address 0x18000C7D1 is jump (jmp) to overlay with the shellcode<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.124503311258\">\n<div readability=\"18.858278145695\">\n<p>The file is placed into the %LOCALAPPDATA%\\microsoft\\onedrive\\ directory, which is a default per-user installation location for the OneDrive application. It was previously <a href=\"https:\/\/www.bitdefender.com\/blog\/labs\/side-loading-onedrive-for-profit-cryptojacking-campaign-detected-in-the-wild\/\">reported<\/a> that the threat actors exploited <a href=\"https:\/\/www.bitdefender.com\/files\/News\/CaseStudies\/study\/424\/Bitdefender-PR-Whitepaper-SLOneDriveCyberJack-creat6318-en-EN.pdf\">OneDrive side-loading vulnerabilities<\/a> by placing fake DLLs into this OneDrive directory to achieve persistence in a compromised machine.<\/p>\n<h2><span class=\"body-subhead-title\"><\/span><\/h2>\n<p>This is an installer package that contains Installer.exe (a Google Chrome extension installer), NativeApp.exe (a native messaging host) and Chrome extension files (background.js, manifest.json, and icon.png).<\/p>\n<p>NativeApp.exe is a <a href=\"https:\/\/developer.chrome.com\/docs\/apps\/nativeMessaging\/\">native messaging host<\/a> that communicates with Chrome extensions using standard input (<a href=\"https:\/\/learn.microsoft.com\/en-us\/cpp\/c-runtime-library\/stdin-stdout-stderr?view=msvc-170\">stdin<\/a>) and standard output (<a href=\"https:\/\/learn.microsoft.com\/en-us\/cpp\/c-runtime-library\/stdin-stdout-stderr?view=msvc-170\">stdout<\/a>). Note the type = \u201cstdio\u201d in the extension manifest.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"a585b9\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-12.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-12.png\" alt=\"Figure 12. The extension manifest. Note the extension ID (allowed_origins) path leading to the dropped executable and the type = standard input\/output.\"> <\/a><figcaption>Figure 12. The extension manifest. Note the extension ID (allowed_origins) path leading to the dropped executable and the type = standard input\/output.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"0553e2\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-13.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-13.png\" alt=\"Figure 13. Malicious extension as viewed in a Google Chrome extension tab\"> <\/a><figcaption>Figure 13. Malicious extension as viewed in a Google Chrome extension tab<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"30.547297297297\">\n<div readability=\"10.182432432432\">\n<p>The <a href=\"https:\/\/developer.chrome.com\/docs\/extensions\/mv2\/background_pages\/\">Background.js<\/a> extension script adds a listener to the <a href=\"https:\/\/developer.chrome.com\/docs\/extensions\/reference\/runtime\/#event-onStartup\">onStartup<\/a> message. This listener sends the \u201cinject\u201d command to the native messaging host, effectively acting as a somewhat unique method of persistence, since the malicious payload is executed every time the Chrome browser is started.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"b04473\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-14.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-14.png\" alt=\"Figure 14. The handler of the onStartup event (the startup of the Chrome browser)\"> <\/a><figcaption>Figure 14. The handler of the onStartup event (the startup of the Chrome browser)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"47.871218668971\">\n<div readability=\"41.455488331893\">\n<p>NativeApp uses messages in <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Learn\/JavaScript\/Objects\/JSON\">JSON<\/a> format to exchange data with Chrome extensions, and implements three commands: execute, load, and inject.<\/p>\n<p>The format of the message is as follows: xx xx xx xx {\u201ccmd\u201d:\u201d\u201d,\u201ddata\u201d:\u201d\u201d}, where xx xx xx xx is length of the message in bytes. The \u201ccmd\u201d key must contain one of the implemented command values (execute, load, and inject), while the \u201cdata\u201d key may contain additional parameters like path and the program to be executed.<\/p>\n<p>The following are examples of valid JSON messages:<\/p>\n<p><i><span class=\"blockquote\">{“cmd”:”execute”,”data”:[“c:\\\\windows\\\\system32\\\\notepad.exe”]}<\/span><\/i><\/p>\n<p><i><span class=\"blockquote\">{“cmd”:”load”,”data”:[“c:\\\\temp\\\\hello-world-x64.dll”,”MessageBoxThread”]}<\/span><\/i><\/p>\n<p><i><span class=\"blockquote\">{“cmd”:”inject”,”data”:[“”]}<\/span><\/i><\/p>\n<p>Note that each message must be preceded with a 4-byte little-endian length value. Passing non-printable characters (0x00 as shown in Figure 15) can be achieved by using PowerShell and its <a href=\"https:\/\/learn.microsoft.com\/en-us\/powershell\/module\/microsoft.powershell.management\/get-content?view=powershell-7.3\">Get-Content<\/a> cmdlet with the -raw parameter, then redirecting this content via pipe \u201c|\u201d to the NativeApp. If the cmd.bin file contains the same content as shown in Figure 15, NativeApp.exe will run notepad.exe.<\/p>\n<p><i><span class=\"blockquote\">powershell Get-Content .\\cmd.bin -raw | NativeApp.exe<\/span><\/i><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"a71343\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-15.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-15.png\" alt=\"Figure 15. Message instructing the execution of notepad.exe. The first DWORD 0x0000003f is the length of the following JSON message\"> <\/a><figcaption>Figure 15. Message instructing the execution of notepad.exe. The first DWORD 0x0000003f is the length of the following JSON message<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"48.198505869797\">\n<div readability=\"45.417822838847\">\n<p>In the current implementation, the inject command has no parameters. Instead, it connects to the hardcoded URL address http:\/\/<delivery server>\/help[.]jpg, downloads, decodes and runs the main payload, which is a backdoor.<\/p>\n<h2><span class=\"body-subhead-title\"><\/span><\/h2>\n<p>This is a shellcode that loads another embedded executable \u2014 the main backdoor payload which we named WhiskerSpy.<\/p>\n<p>WhiskerSpy uses elliptic-curve cryptography (ECC) to exchange encryption keys between the client and server. The following are the implemented backdoor commands:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">interactive shell<\/span><\/li>\n<li><span class=\"rte-red-bullet\">download file<\/span><\/li>\n<li><span class=\"rte-red-bullet\">upload file<\/span><\/li>\n<li><span class=\"rte-red-bullet\">delete file<\/span><\/li>\n<li><span class=\"rte-red-bullet\">list files<\/span><\/li>\n<li><span class=\"rte-red-bullet\">take screenshot<\/span><\/li>\n<li><span class=\"rte-red-bullet\">load executable and call its export<\/span><\/li>\n<li><span class=\"rte-red-bullet\">inject shellcode into process<\/span><\/li>\n<\/ul>\n<p>The machine ID is computed as a 32-bit <a href=\"https:\/\/en.wikipedia.org\/wiki\/Fowler%E2%80%93Noll%E2%80%93Vo_hash_function\">Fowler-Noll-Vo<\/a> hash (FNV-1) of the 16-byte UUID located in the System Information Table of the <a href=\"https:\/\/www.dmtf.org\/standards\/smbios\">System Management Bios<\/a> (<a href=\"https:\/\/www.dmtf.org\/standards\/smbios\">SMBIOS<\/a>). For more details about the UUID value, see page 33 of the <a href=\"https:\/\/www.dmtf.org\/sites\/default\/files\/standards\/documents\/DSP0134_3.0.0.pdf\">SMBIOS Specification<\/a>. The function <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/sysinfoapi\/nf-sysinfoapi-getsystemfirmwaretable\">GetSystemFirmwareTable<\/a> is called with the parameter \u201cRSMB\u201d to retrieve the raw SMBIOS table, It is then parsed to locate the 16-byte UUID, which has its FNV-1 hash computed.<\/p>\n<p>For communication with the command-and-control (C&C) server, the backdoor generates a random 16-byte AES key. It computes the session ID from this key as a 32-bit <a href=\"https:\/\/en.wikipedia.org\/wiki\/MurmurHash\">Murmur3<\/a> hash.<\/p>\n<p>As mentioned, the backdoor uses Elliptic-curve cryptography (ECC). We can determine the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Elliptic-curve_cryptography\">Elliptic-curve domain parameters<\/a> from hardcoded values stored in the \u201c.data\u201d section. In figure 16, you can see the prime (p, yellow color), the first coefficient a (red color), the second coefficient b (green color), generator (base point, blue color), and the cofactor (h, orange color). Knowing these parameters helps us determine that “secp256r1” is the used curve, as we can see all the important constants for most popular elliptic curves listed, for example, in <a href=\"https:\/\/github.com\/alexmgr\/tinyec\/blob\/master\/tinyec\/registry.py\">tinyec project<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"03155b\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-16.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-16.png\" alt=\"Figure 16. The hardcoded parameters of the \u201csecp256r1\u201d curve\"> <\/a><figcaption>Figure 16. The hardcoded parameters of the \u201csecp256r1\u201d curve<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.694503171247\">\n<div readability=\"17.970401691332\">\n<p>There is one more value shown in Figure 16 (brown color) which represents the hardcoded server\u2019s public key.<\/p>\n<p>Then a series of computations (Elliptic-curve Diffie\u2013Hellman or <a href=\"https:\/\/wizardforcel.gitbooks.io\/practical-cryptography-for-developers-book\/content\/asymmetric-key-ciphers\/elliptic-curve-cryptography-ecc.html\">ECDH key exchange<\/a>) follows:<\/p>\n<ol>\n<li>Generate random 32-byte client private key (clientPrivKey)<\/li>\n<li>Compute client public key by multiplying the client private key by the curve generator<br \/>(clientPubKey = clientPrivKey * curve.g)<\/li>\n<li>Compute sharedKey by multiplying the client private key by the server public key<br \/>(sharedKey = clientPrivKey * serverPubKey)<\/li>\n<\/ol>\n<p>The result of these computations are uploaded to the C&C server as a 64-byte binary blob, where the first 32 bytes are the x-coordinate of the client public key, since a <a href=\"https:\/\/www.herongyang.com\/EC-Cryptography\/ECDH-What-Is-ECDH-Key-Exchange.html\">a commonly used shared function f(P) is to take the x-coordinate of the point P<\/a>. The second 32 bytes are derived from a random 16-byte AES key.<\/p>\n<p>C&C communication begins by registering the machine ID (function number = 3; POST request with \u201cl<machineID>*\u201d).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"fc30e4\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-17.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-17.png\" alt=\"Figure 17. Registering a new machine\"> <\/a><figcaption>Figure 17. Registering a new machine<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>The uploading of the 64-byte file with the x-coordinate of the client public key and the encrypted AES key follows (function number = 1; POST request with \u201cl<machineID><sessionID>\u201d.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"ae071e\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-18.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-18.png\" alt=\"Figure 18. Registering a new session key and uploading it\"> <\/a><figcaption>Figure 18. Registering a new session key and uploading it<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>WhiskerSpy then periodically requests the C&C server for any tasks it should perform (function number = 2; POST request with \u201ch<machineID>*\u201d.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"26115a\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-19.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-19.png\" alt=\"Figure 19. WhiskerSpy requesting for tasks to be performed\"> <\/a><figcaption>Figure 19. WhiskerSpy requesting for tasks to be performed<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.898255813953\">\n<div readability=\"13.755813953488\">\n<p>Received packets (the content of the file h<machineID>) can either be encrypted or in plain text, depending on the packet\u2019s purpose. For example, the alive packet has 0x14 bytes, starts with the 0x104B070D magic value, and is not encrypted. Its <a href=\"https:\/\/en.wikipedia.org\/wiki\/MurmurHash\">Murmur<\/a> hash must be equal to the hardcoded value 0x89EECD7C. Other packets are listed in Table 1.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"1\" border=\"1\" width=\"100%\" height=\"10%\">\n<tbody>\n<tr>\n<th scope=\"col\">Packet type<\/th>\n<th scope=\"col\">Magic<\/th>\n<th scope=\"col\">Length<\/th>\n<th scope=\"col\">Murmur hash<\/th>\n<th scope=\"col\">Encrypted with AES<\/th>\n<\/tr>\n<tr>\n<td>Do nothing<\/td>\n<td>.<\/td>\n<td>1<\/td>\n<td> <\/td>\n<td>No<\/td>\n<\/tr>\n<tr>\n<td>Alive<\/td>\n<td>0x104B070D<\/td>\n<td>0x14<\/td>\n<td>0x89EECD7C<\/td>\n<td>No<\/td>\n<\/tr>\n<tr>\n<td>Generate new session key<\/td>\n<td>0xC8C9427E<\/td>\n<td>0x20<\/td>\n<td>0xDA348CF2<\/td>\n<td>No<\/td>\n<\/tr>\n<tr>\n<td>Command packet<\/td>\n<td>0xF829EA31<\/td>\n<td> <\/td>\n<td> <\/td>\n<td>Yes<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<p><h5>Table 1. Special types of messages<\/h5>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div readability=\"16\">\n<p>WhiskerSpy implements standard functions. While analyzing the code, we noticed a few status codes designed to report the state of the task, with the first words (two bytes) of the received message being the command ID. Note that, in the case of the command packet, the magic value is the same for all commands: it is found before the command ID and is not displayed in Table 2. In the case of the alive packet, the first word (2 bytes) of the magic value is used as the command ID, therefore the 0x70D value can be found in the table.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"1\" border=\"1\" width=\"100%\" height=\"10%\">\n<tbody readability=\"15.906637490883\">\n<tr>\n<th scope=\"col\">Command ID<\/th>\n<th scope=\"col\">Function<\/th>\n<th scope=\"col\">Status codes<\/th>\n<\/tr>\n<tr readability=\"5\">\n<td>1<\/td>\n<td>Interactive shell (run command line task)<\/td>\n<td>CPF CommandLine Process Fail<br \/>CPS CommandLine Process Success<br \/>[empty]<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>2<\/td>\n<td>Download file to the client<\/td>\n<td>UTOF Open File<br \/>FWS File Write Success<br \/>UTWF Write File<br \/>BAD error<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td>3<\/td>\n<td>Upload file to the server<\/td>\n<td>UTOF Open File<br \/>UTRF Read File<br \/>FIB File Input Big (>200MB)<br \/>FIE File Input Empty (zero length)<br \/>BAD error<\/td>\n<\/tr>\n<tr>\n<td>4,8<\/td>\n<td>List files<\/td>\n<td> <\/td>\n<\/tr>\n<tr>\n<td>5<\/td>\n<td>Delete file<\/td>\n<td>OK<br \/>BAD<\/td>\n<\/tr>\n<tr>\n<td>6<\/td>\n<td>Not supported<\/td>\n<td> <\/td>\n<\/tr>\n<tr>\n<td>7<\/td>\n<td>Exit process<\/td>\n<td> <\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>9<\/td>\n<td>Encrypt file and upload it to the C&C server<\/td>\n<td> <\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>10<\/td>\n<td>Take screenshot<\/td>\n<td>IPS Incorrect Pixel Specification<br \/> (!=24 and !=32)<br \/>DIBF Device-Independent bitmap (DIB) Fail<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>11<\/td>\n<td>Load module and run export<\/td>\n<td>BAD unable to load module<br \/>OK<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>12<\/td>\n<td>Inject shellcode to another process<\/td>\n<td>BAD<br \/>OK<\/td>\n<\/tr>\n<tr readability=\"3.7922077922078\">\n<td>0x70D<\/td>\n<td>Checks if it is alive<\/td>\n<td>Responds to server with the bytes \u201e<a href=\"https:\/\/unicode-table.com\/en\/751F\/\">e7 94 9f<\/a>\u201c, which is also the UTF-8 encoding of the Chinese character \u751f(sh\u0113ng = life)<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<p><h5>Table 2. Backdoor commands of WhiskerSpy<\/h5>\n<\/p><\/div>\n<div class=\"richText\" readability=\"40.943440233236\">\n<div readability=\"27.624489795918\">\n<p>Older versions of WhiskerSpy are 32-bit executables and implement only subsets of the previously mentioned functions ( 1-5,8,0x70D are the same, 6 = exit process; 7 = drop file to temp and execute it). The remaining functions are missing.<\/p>\n<p>The communication is not via HTTP protocol, but via FTP protocol. This means that the FTP name and password must be hardcoded in the binary to enable communication. This approach leaks the current number of victims as l<machineID><sessionID> and h<machineID> files that are visible to anyone who knows the login credentials.<\/p>\n<p>The FTP version of the backdoor also checks for the presence of the debugger. If present, the status code \u201eHELO>\u201c is sent to the C&C server.<\/p>\n<p>Our findings allow us to attribute this attack to the Earth Kitsune threat actor with medium confidence. Injecting malicious scripts into North Korean-related websites shows a similar modus operandi and victimology to the previous activities of the group. Furthermore, the delivery server and the C&C server of WhiskerSpy used in this attack have two infrastructure overlaps with our previous research on <a href=\"https:\/\/documents.trendmicro.com\/assets\/white_papers\/wp-operation-earth-kitsune.pdf\">Operation Earth Kitsune<\/a>.<\/p>\n<ol>\n<li>The first overlap we noticed is that both WhiskerSpy’s C&C domain londoncity[.]hopto[.]org and Earth Kitsune\u2019s domain rs[.]myftp[.]biz were resolved to the same IP address 45[.]76[.]62[.]198.<\/li>\n<li>The second overlap is that WhiskerSpy\u2019s C&C domains londoncity[.]hopto[.]org and updategoogle[.]servehttp[.]com, plus the domain of the delivery server microsoftwindow[.]sytes[.]net were all resolved to 172[.]93[.]201[.]172. This IP address was also mapped from the domain selectorioi[.]ddns[.]net which was used by Earth Kitsune\u2019s agfSpy backdoor.<\/li>\n<\/ol><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"259e2c\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-20.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/ek-whisker-spy-20.png\" alt=\"Figure 20. The infrastructure overlap with Earth Kitsune\"> <\/a><figcaption>Figure 20. The infrastructure overlap with Earth Kitsune (click the image for a larger version)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"37.893540669856\">\n<div readability=\"23.023923444976\">\n<p>This threat is very interesting from a technical perspective. It patches the legitimate installers to hide its activities, uses lesser-known hashing algorithms to compute machine IDs and session IDs and employs ECC to protect encryption keys. In addition, the presented methods of persistence are also quite unique and rare. This shows that Earth Kitsune are proficient with their technical abilities and are continuously evolving their tools, tactics, and procedures TTPs.<\/p>\n<p>To help organizations defend themselves from advanced threats, We recommend using a multilayered security approach and technologies that can detect and block these types of threats from infiltrating the system through <a href=\"https:\/\/www.trendmicro.com\/en_ph\/business\/products\/user-protection\/sps\/endpoint.html\">endpoints<\/a>, <a href=\"https:\/\/www.trendmicro.com\/en_ph\/business\/products\/hybrid-cloud\/deep-security.html\">servers<\/a>, <a href=\"https:\/\/www.trendmicro.com\/en_ph\/business\/products\/network\/advanced-threat-protection\/inspector.html\">networks<\/a>, and <a href=\"https:\/\/www.trendmicro.com\/en_ph\/business\/products\/user-protection\/sps\/email-and-collaboration\/email-security.html\">emails<\/a>.<\/p>\n<p>The indicators of compromise for this entry can be found <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/Earth_Kitsune_WhiskerSpy_iocs.txt\">here<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/b\/earth-kitsune-delivers-new-whiskerspy-backdoor.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We discovered a new backdoor which we have attributed to the advanced persistent threat actor known as Earth Kitsune, which we have covered before. Since 2019, Earth Kitsune has been distributing variants of self-developed backdoors to targets, primarily individuals who are interested in North Korea. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":50609,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9546,9510,9509,9535],"class_list":["post-50608","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-apttargeted-attacks","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-research","tag-trend-micro-research-web"],"yoast_head":"\n<title>Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-02-17T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/ek-whisker-spy-641-cover.png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack\",\"datePublished\":\"2023-02-17T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\\\/\"},\"wordCount\":2823,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack.png\",\"keywords\":[\"Trend Micro Research : APT&Targeted Attacks\",\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Research\",\"Trend Micro Research : Web\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\\\/\",\"name\":\"Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack.png\",\"datePublished\":\"2023-02-17T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack.png\",\"width\":972,\"height\":450},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : APT&Targeted Attacks\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-apttargeted-attacks\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/","og_locale":"en_US","og_type":"article","og_title":"Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-02-17T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/ek-whisker-spy-641-cover.png","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack","datePublished":"2023-02-17T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/"},"wordCount":2823,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/02\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack.png","keywords":["Trend Micro Research : APT&Targeted Attacks","Trend Micro Research : Articles, News, Reports","Trend Micro Research : Research","Trend Micro Research : Web"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/","url":"https:\/\/www.threatshub.org\/blog\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/","name":"Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/02\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack.png","datePublished":"2023-02-17T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/02\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/02\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack.png","width":972,"height":450},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : APT&Targeted Attacks","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-apttargeted-attacks\/"},{"@type":"ListItem","position":3,"name":"Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/50608","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=50608"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/50608\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/50609"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=50608"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=50608"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=50608"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":50608,"date":"2023-02-17T00:00:00","date_gmt":"2023-02-17T00:00:00","guid":{"rendered":"urn:uuid:504c9bd3-7552-1326-6228-b6b0037e7075"},"modified":"2023-02-17T00:00:00","modified_gmt":"2023-02-17T00:00:00","slug":"earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/earth-kitsune-delivers-new-whiskerspy-backdoor-via-watering-hole-attack\/","title":{"rendered":"Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack"},"content":{"rendered":"