Chinotto Backdoor Technical Analysis of the APT Reaper’s Powerful Weapon
Contents
Chinotto Backdoor: Technical Analysis of the APT Reaper's Powerful Weapon
1
Chinotto Backdoor: Technical Analysis of the APT Reaper's Powerful Weapon
Table of Contents
Introduction ........................................................................................................................... 3
What is a Backdoor? ............................................................................................................. 3
Who is APT37 (aka Reaper)? ............................................................................................... 3
Technical Analysis ................................................................................................................ 5
Commands ........................................................................................................................ 7
YARA RULE ......................................................................................................................... 9
IOCs ................................................................................................................................... 10
MITRE ATT&CK.................................................................................................................. 10
2
Chinotto Backdoor: Technical Analysis of the APT Reaper's Powerful Weapon
Introduction
Advanced persistent threat (APT) groups continue to pose a significant threat to global
cybersecurity, with state-sponsored groups being particularly advanced and dangerous. One
such group is APT37, also known as Reaper, which is believed to be based in North Korea
and operates under the guidance of the North Korean government. APT37 has been active
since at least 2012 and is known for conducting a range of cyber espionage and cyber attack
operations, primarily targeting South Korea and other countries in the region.
One of the key tools that APT37 has used in its operations is the Chinotto backdoor, a
sophisticated malware …
1
Chinotto Backdoor: Technical Analysis of the APT Reaper's Powerful Weapon
Table of Contents
Introduction ........................................................................................................................... 3
What is a Backdoor? ............................................................................................................. 3
Who is APT37 (aka Reaper)? ............................................................................................... 3
Technical Analysis ................................................................................................................ 5
Commands ........................................................................................................................ 7
YARA RULE ......................................................................................................................... 9
IOCs ................................................................................................................................... 10
MITRE ATT&CK.................................................................................................................. 10
2
Chinotto Backdoor: Technical Analysis of the APT Reaper's Powerful Weapon
Introduction
Advanced persistent threat (APT) groups continue to pose a significant threat to global
cybersecurity, with state-sponsored groups being particularly advanced and dangerous. One
such group is APT37, also known as Reaper, which is believed to be based in North Korea
and operates under the guidance of the North Korean government. APT37 has been active
since at least 2012 and is known for conducting a range of cyber espionage and cyber attack
operations, primarily targeting South Korea and other countries in the region.
One of the key tools that APT37 has used in its operations is the Chinotto backdoor, a
sophisticated malware …
IoC
172.93.193.158
d0ec6d91cf9e7c64cf11accadf18f8b5a18a10efbecb28f797b3dbbf74ae846d
http://172.93.193.158/Data/goldll/proc.php
rule Armageddon_Pteranodon
{
meta:
author = "seyitsec"
date = "2023-03-24"
hash
=
"d0ec6d91cf9e7c64cf11accadf18f8b5a18a10efbecb28f797b3dbbf74ae846d"
strings:
str1=”IUAvx6CHOil92jqFiHCjiPhzDC”
str2=”172.93.193.158”
str3=”/Data/goldll/proc.php”
str4=”cmd.exe /c c:\users\public\libraries\Phone.ini”
condition:
all of ($str*)
}
d0ec6d91cf9e7c64cf11accadf18f8b5a18a10efbecb28f797b3dbbf74ae846d
http://172.93.193.158/Data/goldll/proc.php
rule Armageddon_Pteranodon
{
meta:
author = "seyitsec"
date = "2023-03-24"
hash
=
"d0ec6d91cf9e7c64cf11accadf18f8b5a18a10efbecb28f797b3dbbf74ae846d"
strings:
str1=”IUAvx6CHOil92jqFiHCjiPhzDC”
str2=”172.93.193.158”
str3=”/Data/goldll/proc.php”
str4=”cmd.exe /c c:\users\public\libraries\Phone.ini”
condition:
all of ($str*)
}