thecyberthrone.in
Open in
urlscan Pro
192.0.78.24
Public Scan
URL:
https://thecyberthrone.in/2021/11/29/apt37-unleashes-chinotto-malware/
Submission: On November 30 via api from GB — Scanned from GB
Submission: On November 30 via api from GB — Scanned from GB
Form analysis 6 forms found in the DOM
GET https://thecyberthrone.in/
<form method="get" class="search-form" action="https://thecyberthrone.in/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Search" value="" name="s" title="Search for:">
</label>
<button type="submit" class="search-button"><span class="fa fw fa-search"></span><span class="screen-reader-text">Search</span></button>
</form>POST https://thecyberthrone.in/wp-comments-post.php
<form action="https://thecyberthrone.in/wp-comments-post.php" method="post" id="commentform" class="comment-form" novalidate=""><input type="hidden" id="highlander_comment_nonce" name="highlander_comment_nonce" value="2e463076d9"><input type="hidden"
name="_wp_http_referer" value="/2021/11/29/apt37-unleashes-chinotto-malware/">
<input type="hidden" name="hc_post_as" id="hc_post_as" value="guest">
<div class="comment-form-field comment-textarea">
<div id="comment-form-comment"><textarea aria-hidden="true" tabindex="-1"
style="position: absolute; inset: -999px auto auto 0px; border: 0px; padding: 0px; box-sizing: content-box; overflow-wrap: break-word; overflow: hidden; transition: none 0s ease 0s; height: 0px !important; min-height: 0px !important; font-family: Lato, sans-serif; font-size: 14px; font-weight: 400; font-style: normal; letter-spacing: 0px; text-transform: none; text-decoration: none solid rgba(0, 0, 0, 0.7); word-spacing: 0px; text-indent: 0px; line-height: 19.6px; width: 594px;"
class="autosizejs "></textarea><textarea id="comment" name="comment" title="Enter your comment here..." placeholder="Enter your comment here..." style="height: 40px; overflow: hidden; overflow-wrap: break-word; resize: none;"></textarea>
</div>
</div>
<div id="comment-form-identity" style="display: none;">
<div id="comment-form-nascar">
<p>Fill in your details below or click an icon to log in:</p>
<ul>
<li class="selected" style="display:none;">
<a href="#comment-form-guest" id="postas-guest" class="nascar-signin-link" title="Login via Guest">
</a>
</li>
<li>
<a href="#comment-form-load-service:WordPress.com" id="postas-wordpress" class="nascar-signin-link" title="Login via WordPress.com">
<svg xmlns="http://www.w3.org/2000/svg" role="presentation" viewBox="0 0 24 24"><rect x="0" fill="none" width="24" height="24"></rect><g><path fill="#0087be" d="M12.158 12.786l-2.698 7.84c.806.236 1.657.365 2.54.365 1.047 0 2.05-.18 2.986-.51-.024-.037-.046-.078-.065-.123l-2.762-7.57zM3.008 12c0 3.56 2.07 6.634 5.068 8.092L3.788 8.342c-.5 1.117-.78 2.354-.78 3.658zm15.06-.454c0-1.112-.398-1.88-.74-2.48-.456-.74-.883-1.368-.883-2.11 0-.825.627-1.595 1.51-1.595.04 0 .078.006.116.008-1.598-1.464-3.73-2.36-6.07-2.36-3.14 0-5.904 1.613-7.512 4.053.21.008.41.012.58.012.94 0 2.395-.114 2.395-.114.484-.028.54.684.057.74 0 0-.487.058-1.03.086l3.275 9.74 1.968-5.902-1.4-3.838c-.485-.028-.944-.085-.944-.085-.486-.03-.43-.77.056-.742 0 0 1.484.114 2.368.114.94 0 2.397-.114 2.397-.114.486-.028.543.684.058.74 0 0-.488.058-1.03.086l3.25 9.665.897-2.997c.456-1.17.684-2.137.684-2.907zm1.82-3.86c.04.286.06.593.06.924 0 .912-.17 1.938-.683 3.22l-2.746 7.94c2.672-1.558 4.47-4.454 4.47-7.77 0-1.564-.4-3.033-1.1-4.314zM12 22C6.486 22 2 17.514 2 12S6.486 2 12 2s10 4.486 10 10-4.486 10-10 10z"></path></g></svg> </a>
</li>
<li>
<a href="#comment-form-load-service:Twitter" id="postas-twitter" class="nascar-signin-link" title="Login via Twitter">
<svg xmlns="http://www.w3.org/2000/svg" role="presentation" viewBox="0 0 24 24"><rect x="0" fill="none" width="24" height="24"></rect><g><path fill="#1DA1F2" d="M22.23 5.924c-.736.326-1.527.547-2.357.646.847-.508 1.498-1.312 1.804-2.27-.793.47-1.67.812-2.606.996C18.325 4.498 17.258 4 16.078 4c-2.266 0-4.103 1.837-4.103 4.103 0 .322.036.635.106.935-3.41-.17-6.433-1.804-8.457-4.287-.353.607-.556 1.312-.556 2.064 0 1.424.724 2.68 1.825 3.415-.673-.022-1.305-.207-1.86-.514v.052c0 1.988 1.415 3.647 3.293 4.023-.344.095-.707.145-1.08.145-.265 0-.522-.026-.773-.074.522 1.63 2.038 2.817 3.833 2.85-1.404 1.1-3.174 1.757-5.096 1.757-.332 0-.66-.02-.98-.057 1.816 1.164 3.973 1.843 6.29 1.843 7.547 0 11.675-6.252 11.675-11.675 0-.178-.004-.355-.012-.53.802-.578 1.497-1.3 2.047-2.124z"></path></g></svg> </a>
</li>
<li>
<a href="#comment-form-load-service:Facebook" id="postas-facebook" class="nascar-signin-link" title="Login via Facebook">
<svg xmlns="http://www.w3.org/2000/svg" role="presentation" viewBox="0 0 24 24"><rect x="0" fill="none" width="24" height="24"></rect><g><path fill="#3B5998" d="M20.007 3H3.993C3.445 3 3 3.445 3 3.993v16.013c0 .55.445.994.993.994h8.62v-6.97H10.27V11.31h2.346V9.31c0-2.325 1.42-3.59 3.494-3.59.993 0 1.847.073 2.096.106v2.43h-1.438c-1.128 0-1.346.537-1.346 1.324v1.734h2.69l-.35 2.717h-2.34V21h4.587c.548 0 .993-.445.993-.993V3.993c0-.548-.445-.993-.993-.993z"></path></g></svg> </a>
</li>
</ul>
</div>
<div id="comment-form-guest" class="comment-form-service selected">
<div class="comment-form-padder">
<div class="comment-form-avatar">
<a href="https://gravatar.com/site/signup/" target="_blank"> <img src="https://1.gravatar.com/avatar/ad516503a11cd5ca435acc9bb6523536?s=25&d=identicon&forcedefault=y&r=G" alt="Gravatar" width="25" class="no-grav grav-hashed grav-hijack" id="grav-ad516503a11cd5ca435acc9bb6523536-0">
</a>
</div>
<div class="comment-form-fields">
<div class="comment-form-field comment-form-email">
<label for="email">Email <span class="required">(required)</span> <span class="nopublish">(Address never made public)</span></label>
<div class="comment-form-input"><input id="email" name="email" type="email" value=""></div>
</div>
<div class="comment-form-field comment-form-author">
<label for="author">Name <span class="required">(required)</span></label>
<div class="comment-form-input"><input id="author" name="author" type="text" value=""></div>
</div>
<div class="comment-form-field comment-form-url">
<label for="url">Website</label>
<div class="comment-form-input"><input id="url" name="url" type="url" value=""></div>
</div>
</div>
</div>
</div>
<div id="comment-form-wordpress" class="comment-form-service">
<div class="comment-form-padder">
<div class="comment-form-avatar">
<img src="https://1.gravatar.com/avatar/ad516503a11cd5ca435acc9bb6523536?s=25&d=identicon&forcedefault=y&r=G" alt="WordPress.com Logo" width="25" class="no-grav grav-hashed grav-hijack"
id="grav-ad516503a11cd5ca435acc9bb6523536-1">
</div>
<div class="comment-form-fields">
<input type="hidden" name="wp_avatar" id="wordpress-avatar" class="comment-meta-wordpress" value="">
<input type="hidden" name="wp_user_id" id="wordpress-user_id" class="comment-meta-wordpress" value="">
<input type="hidden" name="wp_access_token" id="wordpress-access_token" class="comment-meta-wordpress" value="">
<p class="comment-form-posting-as pa-wordpress">
<strong></strong> You are commenting using your WordPress.com account. <span class="comment-form-log-out"> ( <a href="javascript:HighlanderComments.doExternalLogout( 'wordpress' );">Log Out</a> /
<a href="#" onclick="javascript:HighlanderComments.switchAccount();return false;">Change</a> ) </span>
<span class="pa-icon"><svg xmlns="http://www.w3.org/2000/svg" role="presentation" viewBox="0 0 24 24">
<rect x="0" fill="none" width="24" height="24"></rect>
<g>
<path fill="#0087be"
d="M12.158 12.786l-2.698 7.84c.806.236 1.657.365 2.54.365 1.047 0 2.05-.18 2.986-.51-.024-.037-.046-.078-.065-.123l-2.762-7.57zM3.008 12c0 3.56 2.07 6.634 5.068 8.092L3.788 8.342c-.5 1.117-.78 2.354-.78 3.658zm15.06-.454c0-1.112-.398-1.88-.74-2.48-.456-.74-.883-1.368-.883-2.11 0-.825.627-1.595 1.51-1.595.04 0 .078.006.116.008-1.598-1.464-3.73-2.36-6.07-2.36-3.14 0-5.904 1.613-7.512 4.053.21.008.41.012.58.012.94 0 2.395-.114 2.395-.114.484-.028.54.684.057.74 0 0-.487.058-1.03.086l3.275 9.74 1.968-5.902-1.4-3.838c-.485-.028-.944-.085-.944-.085-.486-.03-.43-.77.056-.742 0 0 1.484.114 2.368.114.94 0 2.397-.114 2.397-.114.486-.028.543.684.058.74 0 0-.488.058-1.03.086l3.25 9.665.897-2.997c.456-1.17.684-2.137.684-2.907zm1.82-3.86c.04.286.06.593.06.924 0 .912-.17 1.938-.683 3.22l-2.746 7.94c2.672-1.558 4.47-4.454 4.47-7.77 0-1.564-.4-3.033-1.1-4.314zM12 22C6.486 22 2 17.514 2 12S6.486 2 12 2s10 4.486 10 10-4.486 10-10 10z">
</path>
</g>
</svg></span>
</p>
</div>
</div>
</div>
<div id="comment-form-googleplus" class="comment-form-service">
<div class="comment-form-padder">
<div class="comment-form-avatar">
<img src="https://1.gravatar.com/avatar/ad516503a11cd5ca435acc9bb6523536?s=25&d=identicon&forcedefault=y&r=G" alt="Google photo" width="25" class="no-grav grav-hashed grav-hijack" id="grav-ad516503a11cd5ca435acc9bb6523536-2">
</div>
<div class="comment-form-fields">
<input type="hidden" name="googleplus_avatar" id="googleplus-avatar" class="comment-meta-googleplus" value="">
<input type="hidden" name="googleplus_user_id" id="googleplus-user_id" class="comment-meta-googleplus" value="">
<input type="hidden" name="googleplus_access_token" id="googleplus-access_token" class="comment-meta-googleplus" value="">
<p class="comment-form-posting-as pa-googleplus">
<strong></strong> You are commenting using your Google account. <span class="comment-form-log-out"> ( <a href="javascript:HighlanderComments.doExternalLogout( 'googleplus' );">Log Out</a> /
<a href="#" onclick="javascript:HighlanderComments.switchAccount();return false;">Change</a> ) </span>
<span class="pa-icon"><svg xmlns="http://www.w3.org/2000/svg" role="presentation" x="0px" y="0px" viewBox="0 0 60 60">
<path fill="#519bf7" d="M56.3,30c0,-1.6 -0.2,-3.4 -0.6,-5h-3.1H42.2H30v10.6h14.8C44,39.3 42,42 39.1,43.9l8.8,6.8C53,46 56.3,39 56.3,30z"></path>
<path fill="#3db366" d="M30,57.5c6.7,0 13.1,-2.4 17.9,-6.8l-8.8,-6.8c-2.5,1.6 -5.6,2.4 -9.1,2.4c-7.2,0 -13.3,-4.7 -15.4,-11.2l-9.3,7.1C9.8,51.3 19.1,57.5 30,57.5z"></path>
<path fill="#fdc600" d="M5.3,42.2l9.3,-7.1c-0.5,-1.6 -0.8,-3.3 -0.8,-5.1s0.3,-3.5 0.8,-5.1l-9.3,-7.1C3.5,21.5 2.5,25.6 2.5,30S3.5,38.5 5.3,42.2z"></path>
<path fill="#f15b44" d="M40.1,17.4l8,-8C43.3,5.1 37,2.5 30,2.5C19.1,2.5 9.8,8.7 5.3,17.8l9.3,7.1c2.1,-6.5 8.2,-11.1 15.4,-11.1C33.9,13.7 37.4,15.1 40.1,17.4z"></path>
</svg></span>
</p>
</div>
</div>
</div>
<div id="comment-form-twitter" class="comment-form-service">
<div class="comment-form-padder">
<div class="comment-form-avatar">
<img src="https://1.gravatar.com/avatar/ad516503a11cd5ca435acc9bb6523536?s=25&d=identicon&forcedefault=y&r=G" alt="Twitter picture" width="25" class="no-grav grav-hashed grav-hijack" id="grav-ad516503a11cd5ca435acc9bb6523536-3">
</div>
<div class="comment-form-fields">
<input type="hidden" name="twitter_avatar" id="twitter-avatar" class="comment-meta-twitter" value="">
<input type="hidden" name="twitter_user_id" id="twitter-user_id" class="comment-meta-twitter" value="">
<input type="hidden" name="twitter_access_token" id="twitter-access_token" class="comment-meta-twitter" value="">
<p class="comment-form-posting-as pa-twitter">
<strong></strong> You are commenting using your Twitter account. <span class="comment-form-log-out"> ( <a href="javascript:HighlanderComments.doExternalLogout( 'twitter' );">Log Out</a> /
<a href="#" onclick="javascript:HighlanderComments.switchAccount();return false;">Change</a> ) </span>
<span class="pa-icon"><svg xmlns="http://www.w3.org/2000/svg" role="presentation" viewBox="0 0 24 24">
<rect x="0" fill="none" width="24" height="24"></rect>
<g>
<path fill="#1DA1F2"
d="M22.23 5.924c-.736.326-1.527.547-2.357.646.847-.508 1.498-1.312 1.804-2.27-.793.47-1.67.812-2.606.996C18.325 4.498 17.258 4 16.078 4c-2.266 0-4.103 1.837-4.103 4.103 0 .322.036.635.106.935-3.41-.17-6.433-1.804-8.457-4.287-.353.607-.556 1.312-.556 2.064 0 1.424.724 2.68 1.825 3.415-.673-.022-1.305-.207-1.86-.514v.052c0 1.988 1.415 3.647 3.293 4.023-.344.095-.707.145-1.08.145-.265 0-.522-.026-.773-.074.522 1.63 2.038 2.817 3.833 2.85-1.404 1.1-3.174 1.757-5.096 1.757-.332 0-.66-.02-.98-.057 1.816 1.164 3.973 1.843 6.29 1.843 7.547 0 11.675-6.252 11.675-11.675 0-.178-.004-.355-.012-.53.802-.578 1.497-1.3 2.047-2.124z">
</path>
</g>
</svg></span>
</p>
</div>
</div>
</div>
<div id="comment-form-facebook" class="comment-form-service">
<div class="comment-form-padder">
<div class="comment-form-avatar">
<img src="" alt="Facebook photo" width="25" class="no-grav">
</div>
<div class="comment-form-fields">
<input type="hidden" name="fb_avatar" id="facebook-avatar" class="comment-meta-facebook" value="">
<input type="hidden" name="fb_user_id" id="facebook-user_id" class="comment-meta-facebook" value="">
<input type="hidden" name="fb_access_token" id="facebook-access_token" class="comment-meta-facebook" value="">
<p class="comment-form-posting-as pa-facebook">
<strong></strong> You are commenting using your Facebook account. <span class="comment-form-log-out"> ( <a href="javascript:HighlanderComments.doExternalLogout( 'facebook' );">Log Out</a> /
<a href="#" onclick="javascript:HighlanderComments.switchAccount();return false;">Change</a> ) </span>
<span class="pa-icon"><svg xmlns="http://www.w3.org/2000/svg" role="presentation" viewBox="0 0 24 24">
<rect x="0" fill="none" width="24" height="24"></rect>
<g>
<path fill="#3B5998"
d="M20.007 3H3.993C3.445 3 3 3.445 3 3.993v16.013c0 .55.445.994.993.994h8.62v-6.97H10.27V11.31h2.346V9.31c0-2.325 1.42-3.59 3.494-3.59.993 0 1.847.073 2.096.106v2.43h-1.438c-1.128 0-1.346.537-1.346 1.324v1.734h2.69l-.35 2.717h-2.34V21h4.587c.548 0 .993-.445.993-.993V3.993c0-.548-.445-.993-.993-.993z">
</path>
</g>
</svg></span>
</p>
</div>
</div>
</div>
<div id="comment-form-load-service" class="comment-form-service">
<div class="comment-form-posting-as-cancel"><a href="javascript:HighlanderComments.cancelExternalWindow();">Cancel</a></div>
<p>Connecting to %s</p>
</div>
</div>
<script type="text/javascript">
var highlander_expando_javascript = function() {
function hide(sel) {
var el = document.querySelector(sel);
if (el) {
el.style.setProperty('display', 'none');
}
}
function show(sel) {
var el = document.querySelector(sel);
if (el) {
el.style.removeProperty('display');
}
}
var input = document.createElement('input');
var comment = document.querySelector('#comment');
if (input && comment && 'placeholder' in input) {
var label = document.querySelector('.comment-textarea label');
if (label) {
var text = label.textContent;
label.parentNode.removeChild(label);
comment.setAttribute('placeholder', text);
}
}
// Expando Mode: start small, then auto-resize on first click + text length
hide('#comment-form-identity');
hide('#comment-form-subscribe');
hide('#commentform .form-submit');
if (comment) {
comment.style.height = '10px';
var handler = function() {
comment.style.height = HighlanderComments.initialHeight + 'px';
show('#comment-form-identity');
show('#comment-form-subscribe');
show('#commentform .form-submit');
HighlanderComments.resizeCallback();
comment.removeEventListener('focus', handler);
};
comment.addEventListener('focus', handler);
}
}
if (document.readyState !== 'loading') {
highlander_expando_javascript();
} else {
if (typeof window.jQuery === 'function') {
// Use jQuery's `ready` if available.
// This solves some scheduling issues between this script and the main highlander script.
jQuery(document).ready(highlander_expando_javascript);
} else {
// If not available, add a vanilla event listener.
document.addEventListener('DOMContentLoaded', highlander_expando_javascript);
}
}
</script>
<div id="comment-form-subscribe" style="display: none;">
<p class="comment-subscription-form"><input type="checkbox" name="subscribe" id="subscribe" value="subscribe" style="width: auto;"> <label class="subscribe-label" id="subscribe-label" for="subscribe" style="display: inline;">Notify me of new
comments via email.</label></p>
<p class="post-subscription-form"><input type="checkbox" name="subscribe_blog" id="subscribe_blog" value="subscribe" style="width: auto;"> <label class="subscribe-label" id="subscribe-blog-label" for="subscribe_blog"
style="display: inline;">Notify me of new posts via email.</label></p>
</div>
<p class="form-submit wp-block-button" style="display: none;"><input name="submit" type="submit" id="comment-submit" class="submit wp-block-button__link" value="Post Comment"> <input type="hidden" name="comment_post_ID" value="5165"
id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="539e32c19c"></p>
<input type="hidden" name="genseq" value="1638252867">
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="1638252868148">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>GET https://thecyberthrone.in/
<form method="get" class="search-form" action="https://thecyberthrone.in/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Search" value="" name="s" title="Search for:">
</label>
<button type="submit" class="search-button"><span class="fa fw fa-search"></span><span class="screen-reader-text">Search</span></button>
</form>POST https://subscribe.wordpress.com
<form action="https://subscribe.wordpress.com" method="post" accept-charset="utf-8" id="subscribe-blog">
<p id="subscribe-email">
<label id="subscribe-field-label" for="subscribe-field" class="screen-reader-text"> Email Address: </label>
<input type="email" name="email" class="has-20-px-font-size has-cf-2-e-2-e-border-color" style="font-size: 20px; padding: 12px 18px 12px 18px; border-radius: 5px; border-width: 2px; border-color: #cf2e2e; border-style: solid;"
placeholder="Enter your email address" value="" id="subscribe-field">
</p>
<p id="subscribe-submit" style="width: 100%; max-width: 100%;">
<input type="hidden" name="action" value="subscribe">
<input type="hidden" name="blog_id" value="172946585">
<input type="hidden" name="source" value="https://thecyberthrone.in/2021/11/29/apt37-unleashes-chinotto-malware/">
<input type="hidden" name="sub-type" value="widget">
<input type="hidden" name="redirect_fragment" value="subscribe-blog">
<input type="hidden" id="_wpnonce" name="_wpnonce" value="cffc717b93"> <button type="submit"
class="wp-block-button__link has-20-px-font-size has-cf-2-e-2-e-border-color has-text-color has-white-color has-background has-vivid-red-background-color"
style="width: 100%; font-size: 20px; padding: 12px 18px 12px 18px; margin-top: 10px; border-radius: 5px; border-width: 2px; border-color: #cf2e2e; border-style: solid;"> Subscribe </button>
</p>
</form>POST https://subscribe.wordpress.com
<form method="post" action="https://subscribe.wordpress.com" accept-charset="utf-8" style="display: none;">
<div class="actnbr-follow-count">Join 199 other followers</div>
<div>
<input type="email" name="email" placeholder="Enter your email address" class="actnbr-email-field" aria-label="Enter your email address">
</div>
<input type="hidden" name="action" value="subscribe">
<input type="hidden" name="blog_id" value="172946585">
<input type="hidden" name="source" value="https://thecyberthrone.in/2021/11/29/apt37-unleashes-chinotto-malware/">
<input type="hidden" name="sub-type" value="actionbar-follow">
<input type="hidden" id="_wpnonce" name="_wpnonce" value="cffc717b93">
<div class="actnbr-button-wrap">
<button type="submit" value="Sign me up"> Sign me up </button>
</div>
</form><form id="jp-carousel-comment-form">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email (Required)</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name (Required)</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>Text Content
Skip to content
* Search
Search for: Search
THECYBERTHRONE
THINKING SECURITY ! ALWAYS
* Home
* Security Within You.!
* About Author
Security
APT37 UNLEASHES CHINOTTO MALWARE
Date: November 29, 2021Author: PravinKarthik 0 Comments
North Korean defectors, journalists, and entities in South Korea are being
targeted in on by a nation state sponsored APT tracked as ScarCruft, also known
as APT37 aka Reaper Group
The actor utilized three types of malware with similar functionalities: versions
implemented in PowerShell, Windows executables and Android applications,although
intended for different platforms, they share a similar command and control
scheme based on HTTP communication. The malware operators can control the whole
malware family through one set of command and control scripts.
Advertisements
ScarCruft is known for targeting public and private sectors situated in South
Korea with an aim to plunder sensitive information stored in the compromised
systems, and has been previously observed using a Windows based backdoor
called RokRAT.
The primary initial infection vector used by APT37 is spear-phishing, in which
the actor sends an email to a target that is weaponized with a malicious
document.
The Threat actor reached out to the victim’s associates and acquaintances using
stolen Facebook account credentials to establish initial contact, only to follow
it up with a spear phishing email enclosing a password-protected RAR archive
that includes a Word document. This decoy document claims to be about “North
Korea’s latest situation and our national security.”
Advertisements
Opening the Microsoft Office document triggers the execution of a macro and the
decryption of the next-stage payload embedded within the document. The payload,
a VBA, contains a shellcode that, in turn, retrieves from a remote server the
final-stage payload with backdoor capabilities.
The operators managed to collect screenshots, before deploying a fully-featured
malware called Chinotto in late August to control the device and exfiltrate
sensitive information to a C2 server.
Chinotto comes with its own Android variant to achieve the same goal of spying
on its users. The malicious APK file, delivered to the recipients via a smishing
attack, prompts users to grant it a wide range of permissions during the
installation phase, enabling the app to amass contact lists, messages, call
logs, device information, audio recordings, and data stored in apps such as
Huawei Drive, Tencent WeChat (aka Weixin), and KakaoTalk.
Advertisements
Many journalists, defectors and human rights activists are targets of
sophisticated cyberattacks. Unlike corporations, these targets typically don’t
have sufficient tools to protect against and respond to highly skilled
surveillance attacks.
INDICATORS OF COMPROMISE
* baa9b34f152076ecc4e01e35ecc2de18
* 7d5283a844c5d17881e91a5909a5af3
* e9e13dd4434e2a2392228712f73c98ef
* 00df5bbac9ad059c441e8fef9fefc3c1
* 04ddb77e44ac13c78d6cb304d71e2b86
* 55afe67b0cd4a01f3a9a6621c26b1a499
* 3bcbf59ac14e14c1c39a18d8ddf28ee
* c7c3b03108f2386022793ed29e621343
* 5a7ef48fe0e8ae65733db64ddb7f2478
* b06c203db2bad2363caed1c0c11951ae
* f08d7f7593b1456a087eb9922507c743
* 0dd115c565615651236fffaaf736e377
* d8ad81bafd18658c52564bbdc89a7db2
* 71b63d2c839c765f1f110dc898e79d67
* c9fb6f127ca18a3c2cf94e405df67f51
* 3490053ea54dfc0af2e419be96462b08
* cba17c78b84d1e440722178a97886bb7
* 56f3d2bcf67cf9f7b7d16ce8a5f8140a
Payload hosting URLs
hxxps://api[.]onedrive[.]com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBalVyZDlodU1wUWNjTGt4bXhBV0pjQU1ja2M_ZT1mUnc4VHg/root/content
hxxp://www[.]djsm.co[.]kr/js/20170805[.]hwp
Command and control server
hxxp://luminix[.]openhaja[.]com/bbs/data/proc1/proc[.]php
hxxp://luminix[.]kr/bbs/data/proc/proc[.]php
hxxp://kjdnc[.]gp114[.]net/data/log/do[.]php
hxxp://kumdo[.]org/admin/cont/do[.]php
hxxp://haeundaejugong[.]com/editor/chinotto/do[.]php
hxxp://haeundaejugong[.]com/data/jugong/do[.]php
hxxp://doseoul[.]com/bbs/data/hnc/update[.]php
hxxp://hz11[.]cn/jquery-ui-1[.]10[.]4/tests/unit/widget/doc/pu[.]php
SHARE THIS:
* Click to share on LinkedIn (Opens in new window)
* Click to share on Twitter (Opens in new window)
* Click to share on Facebook (Opens in new window)
* Click to share on WhatsApp (Opens in new window)
* Click to share on Pinterest (Opens in new window)
* Click to share on Reddit (Opens in new window)
* Click to share on Tumblr (Opens in new window)
* Click to share on Telegram (Opens in new window)
*
LIKE THIS:
Like Loading...
RELATED
BLUELIGHT PAYLOAD
Researchers from Volexity recently investigated a Strategic Web Compromise of
the Daily NK website by InkySquid. The targeted site is an online newspaper
based in South Korea that posts news related to North Korea. The investigation
revealed different exploits and a payload named BlueLight. A malicious script
was observed on…
August 20, 2021
In "Security"
KONNI RAT ! RUSSIAN CAMPAIGN
A new and ongoing malware campaign targetting Russia. The payload dropped by
threat actors in this attack is the Konni RAT being used by the North Korean
Black Hat group of hackers known as Thallium and APT37. North Korea was also hit
by Konni RAT days after a missile test…
August 25, 2021
In "Security"
MICROSOFT TO DISABLE MACROS 4.0
Microsoft has revealed its plan to disable Excel 4.0 macros or XLM macros for
all Microsoft 365 users in a recent email sent out to its customers. First
introduced back in 1992 with the release of Excel 4.0, XLM macros allow users of
the company's spreadsheet software to enter complex…
October 10, 2021
In "Security"
Security ThreatVulnerabilityNorth KoreaSpywareAPT37Chinotto MalwareScarCruft
PUBLISHED BY PRAVINKARTHIK
Cybersecurity Enthusiasts . Will keep update on all happenings around in
Security Operations. View all posts by PravinKarthik
POST NAVIGATION
Previous Previous post: Microsoft Defender fails with its Defence
Next Next post: Apache SSRF bug Exploited
LEAVE A REPLY CANCEL REPLY
Fill in your details below or click an icon to log in:
*
*
*
*
Email (required) (Address never made public)
Name (required)
Website
You are commenting using your WordPress.com account. ( Log Out / Change )
You are commenting using your Google account. ( Log Out / Change )
You are commenting using your Twitter account. ( Log Out / Change )
You are commenting using your Facebook account. ( Log Out / Change )
Cancel
Connecting to %s
Notify me of new comments via email.
Notify me of new posts via email.
Δ
Search for: Search
cloudsecurity
ZSCALER ACQUIRE SMOKE SCREEN
by PravinKarthik May 26, 2021
Security
MCAFEE READIES TO SELL ITSELF
by PravinKarthik November 6, 2021
Security
IBM TO ACQUIRE REAQTA. ENDPOINT SECURITY STARTUP
by PravinKarthik November 3, 2021
Security
CROWDSTRIKE ACQUIRES SECURECIRCLE
by PravinKarthik November 2, 2021
Security
FORCEPOINT ACQUIRES BITGLASS
by PravinKarthik October 26, 2021
Security
NETAPP DEBUTS SPOT SECURITY
by PravinKarthik October 22, 2021
Security
ELASTIC TO ACQUIRE OPTYMYZE
by PravinKarthik October 17, 2021
Security
FIREEYE & MCAFEE ENTERPRISE MERGE
by PravinKarthik October 1, 2021
Security
AKAMAI ACQUIRES GUARDICORE
by PravinKarthik September 30, 2021
Security
F5 ACQUIRES THREAT STACK
by PravinKarthik September 20, 2021
cloudsecurity
ZSCALER ACQUIRE SMOKE SCREEN
by PravinKarthik May 26, 2021
Security
MCAFEE READIES TO SELL ITSELF
by PravinKarthik November 6, 2021
Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10
Subscribe to TheCyberThrone Today ! Join Hundreds of Subscribers receiving
latest Cybersecurity news and happenings in and around the world.
Email Address:
Subscribe
ARCHIVES HISTORY
Archives History Select Month November 2021 (132) October 2021 (130) September
2021 (109) August 2021 (128) July 2021 (109) June 2021 (108) May 2021 (81)
April 2021 (73) March 2021 (72) February 2021 (68) January 2021 (85)
December 2020 (63) November 2020 (60) October 2020 (59) September 2020 (48)
August 2020 (48) July 2020 (49) June 2020 (45) May 2020 (46) April 2020
(37) March 2020 (34) February 2020 (15)
© 2021 TheCyberThrone
Create a website or blog at WordPress.com
* Follow Following
* TheCyberThrone
Join 199 other followers
Sign me up
* Already have a WordPress.com account? Log in now.
* * TheCyberThrone
* Customize
* Follow Following
* Sign up
* Log in
* Copy shortlink
* Report this content
* View post in Reader
* Manage subscriptions
* Collapse this bar
Loading Comments...
Write a Comment...
Email (Required) Name (Required) Website
%d bloggers like this:
Notifications
Playing