New WhiskerSpy Backdoor via Watering Hole Attack -Detection & Response


Security researchers say a new backdoor called Whisker Spy is being used in a campaign by a relatively new advanced threat actor tracked as Earth Fox, known for targeting individuals showing interest in North Korea.

The actor used a tried and tested method and picked victims from visitors to a pro North Korea website, a tactic known as a watering hole attack.

ALSO READ : Anatomy Of An Advanced Persistent Threat Group

Watering hole attack

According to Trend Micro, WhiskerSpy was delivered when visitors tried to watch videos on the website. The attacker compromised the website and injected a malicious script that asked the victim to install a video codec for the media to run.

To avoid suspicions, the threat actor modified a legitimate codec installer so that it ultimately loaded “a previously unseen backdoor” on the victim’s system.


The researchers say that the threat actor targeted only visitors to the website with IP addresses from Shenyang, China; Nagoya, Japan; and Brazil.

ALSO READ: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes

It is likely that Brazil was used only for testing the watering hole attack using a VPN connection and the real targets were visitors from the two cities in China and Japan. Relevant victims would be served the fake error message below that prompts them to install a codec to watch the video.


In reality, the codec is an MSI executable that installs on the victim’s computer shellcode that triggers a series PowerShell commands that lead to deploying the WhiskerSpy backdoor.

The researchers note that one persistence technique that Earth Kitsune used in this campaign abuses the native messaging host in Google Chrome and installs a malicious Google Chrome extension called Google Chrome Helper.

ALSO READ: RedLine Stealer returns with New TTPS – Detection & Response

The role of the extension is to allow execution of the payload every time the browser starts.

WhiskerSpy details

WhiskerSpy is the main payload used in the latest ‘Earth Kitsune’ campaign, giving remote operators the following capabilities:

  • interactive shell
  • download file
  • upload file
  • delete file
  • list files
  • take screenshot
  • load executable and call its export
  • inject shellcode into a process

The backdoor communicates with the command and control (C2) server using a 16-byte AES key for encryption.

WhiskerSpy periodically connects to the C2 for updates about its status and the server may respond with instructions for the malware, such as execute shell commands, inject code to another process, exfiltrate specific files, take screenshots.

Trend Micro has discovered an earlier version of WhiskerSpy that use the FTP protocol instead of HTTP for C2 communication. This older variant also checks for the presence of a debugger upon execution and informs the C2 with the appropriate status code.

Indicators of Compromise

Earth Kitsune samples (SHA-256)                                               Detection Name                  Note
CE7016067C97421E3050FA8BD7F1950E0707E6DEEAC20003F5F30F1C58F435BC    Trojan.JS.SLUB.A                Delivery script
1C24D9013B3EAE373FC28D40F9E475E1DD22C228E8F1E539ED9229E21807839D    Trojan.Win32.SLUB.AA            Installer
076BA1135B2F9F4DBC38E306DC533AF71B311C1DC98788C18253448FCA096C46    Trojan.Win32.SLUB.AA            Installer
371CFA10A7262438E5BC0694BA5628EB21E044DC8173710DF51826DAFA11E300    Trojan.Win32.SLUB.B             Google Chrome persistence payload
E01399D47CDA45F1AF496FA460F20620A5B08C39714875FE292A5FC3D1C7A215    Trojan.Win32.SLUB.B             Google Chrome persistence payload
6F0A0AC477C73C2533A39CB3D8FBF45365761D11B7368460964A4572E91C5FCB    Trojan.Win64.SLUB.B             Google Chrome persistence payload
C357E572DD7C618C54F8333313266A8A9CF07C1038D6B2F711CDBAE714BC2654    Trojan.JS.SLUB.A                Google Chrome persistence payload
902902B5457C6945C2B3878521D23D05D448DE179D19761C718FB67C15A4BCC0    Trojan.Win64.SLUB.B             Microsoft OneDrive persistence payload
20C214D58CCFB5AD797F1A02667078D182629AC7E157162566C123519E039D55    Trojan.Win32.SLUB.B             Backdoor loader
3D62E122E31D7929E76633773D752B8BEE31462BB79CB5B8B7C6952341E93482    Trojan.Win32.SLUB.B             Backdoor dropper
66C8E0ACFE030C4EEC474CD75C4D831601DAE3EF4E1CEF78B624DE3C346C186D    Trojan.Win32.SLUB.B             Backdoor dropper
C78CB41F4FB4E5F5476EB2C1414F138643494C2B8ABE2CF539FAFC54199E2AEF    Trojan.Win32.SLUB.B             Backdoor dropper
FBAC7B40A12970CDCC36F48945BEB83BF9461F14C59CB8106AD8E43E5D22A970    Trojan.Win32.SLUB.B             Backdoor dropper
7365F661AD9E558FDD668D3563E0A1B85CCF1A543BE51CB942DB508F9CCBCF5E    Trojan.Win32.SLUB.B             Backdoor dropper
3D4107C738B46F75C5B1B88EF06F82A5779DDD830527C9BECC951080A5491F13    Backdoor.Win64.WHISPERSPY.A     WhiskerSpy (64-bit version using HTTP)
84E9BCC055225BD50534147E355834325B97AD948C3A10D792928B48C56C1712    Backdoor.Win64.WHISPERSPY.A     WhiskerSpy (64-bit version using HTTP)
EFFA1AE32DBCF6BC64A5025BCA4F4C41572439B69EDD58B5F78952A407CEB5DF    Backdoor.Win32.WHISPERSPY.A     WhiskerSpy (32-bit version using FTP)

Earth Kitsune infrastructure                                        Note
microsoftwindow[.]sytes[.]net                                       Delivery server domain
updategoogle[.]servehttp[.]com                                      WhiskerSpy HTTP C&C domain
londoncity[.]hopto[.]org                                            WhiskerSpy FTP C&C domain
windowsupdate[.]sytes[.]net                                         Related domain
florida[.]serveblog[.]net                                           Related domain
googlemap[.]hopto[.]org                                             Related domain
liveupdate[.]servepics[.]com                                        Related domain
chromecast[.]hopto[.]org                                            Related domain
googlemap[.]serveblog[.]net                                         Related domain
selectorioi[.]ddns[.]net                                            Related domain
rs[.]myftp[.]biz                                                    Related domain


Detection & Response


(process_name:(*powershell.exe OR *cmd.exe) AND process_cmdline:(*Invoke\-WebRequest\ http* OR *\*.jpg* OR *\*.php* OR *Get\-Content* OR *\\cmd.bin* OR *\-raw*) AND ((process_original_filename:*\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive*) OR (process_name:*\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive*)) AND ((process_original_filename:(*vcruntime140.dll OR *\*.dll)) OR (process_name:(*vcruntime140.dll OR *\*.dll))))

Elastic Query:

(process.executable.text:(*powershell.exe OR *cmd.exe) AND process.command_line.text:(*Invoke\-WebRequest\ http* OR *\*.jpg* OR *\*.php* OR *Get\-Content* OR *\\cmd.bin* OR *\-raw*) AND file.path.text:*\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive* AND file.path.text:(*vcruntime140.dll OR *\*.dll))


(Image:(*powershell.exe *cmd.exe) AND CommandLine:(*Invoke\-WebRequest\ http* **.jpg* **.php* *Get\-Content* *\\cmd.bin* *\-raw*) AND FileName:*\\Users\*\\AppData\\Local\\Microsoft\\OneDrive* AND FileName:(*vcruntime140.dll **.dll))

Microsoft Sentinel:

SecurityEvent | where EventID == 1 | where ((NewProcessName endswith @’powershell.exe’ or NewProcessName endswith @’cmd.exe’) and (CommandLine contains @’Invoke-WebRequest http’ or CommandLine contains @’*.jpg’ or CommandLine contains @’*.php’ or CommandLine contains @’Get-Content’ or CommandLine contains @’\cmd.bin’ or CommandLine contains @’-raw’) and TargetFilename contains @’\Users\*\AppData\Local\Microsoft\OneDrive’ and (TargetFilename endswith @’vcruntime140.dll’ or TargetFilename endswith @’*.dll’))

Microsoft Defender:

DeviceProcessEvents | where ((FolderPath endswith @’powershell.exe’ or FolderPath endswith @’cmd.exe’) and (ProcessCommandLine contains @’Invoke-WebRequest http’ or ProcessCommandLine contains @’*.jpg’ or ProcessCommandLine contains @’*.php’ or ProcessCommandLine contains @’Get-Content’ or ProcessCommandLine contains @’\cmd.bin’ or ProcessCommandLine contains @’-raw’) and FolderPath contains @’\Users\*\AppData\Local\Microsoft\OneDrive’ and (FolderPath endswith @’vcruntime140.dll’ or FolderPath endswith @’*.dll’))


source=”WinEventLog:*” AND ((Image=”*powershell.exe” OR Image=”*cmd.exe”) AND (CommandLine=”*Invoke-WebRequest http*” OR CommandLine=”**.jpg*” OR CommandLine=”**.php*” OR CommandLine=”*Get-Content*” OR CommandLine=”*\\cmd.bin*” OR CommandLine=”*-raw*”) AND (FileName=”*\\Users\*\\AppData\\Local\\Microsoft\\OneDrive*”) AND (FileName=”*vcruntime140.dll” OR FileName=”**.dll”))

Sumo Logic:

((_sourceCategory=*windows* AND (Image=*powershell.exe OR Image=*cmd.exe) AND (CommandLine=*Invoke-WebRequest http* OR CommandLine=**.jpg* OR CommandLine=**.php* OR CommandLine=*Get-Content* OR CommandLine=*\cmd.bin* OR CommandLine=*-raw*) AND (((\Users\ AND \AppData\Local\Microsoft\OneDrive))) AND (vcruntime140.dll OR .dll)))


SELECT UTF8(payload) FROM events WHERE LOGSOURCETYPENAME(devicetype)=’Microsoft Windows Security Event Log’ AND (“Image” ILIKE ‘%powershell.exe’ OR “Image” ILIKE ‘%cmd.exe’) AND (“Process CommandLine” ILIKE ‘%Invoke-WebRequest http%’ OR “Process CommandLine” ILIKE ‘%*.jpg%’ OR “Process CommandLine” ILIKE ‘%*.php%’ OR “Process CommandLine” ILIKE ‘%Get-Content%’ OR “Process CommandLine” ILIKE ‘%\cmd.bin%’ OR “Process CommandLine” ILIKE ‘%-raw%’) AND “Filename” ILIKE ‘%\Users\*\AppData\Local\Microsoft\OneDrive%’ AND (“Filename” ILIKE ‘%vcruntime140.dll’ OR “Filename” ILIKE ‘%*.dll’)


(metaclass:`windows` process:[‘*powershell.exe’, ‘*cmd.exe’] args:[‘*Invoke-WebRequest http*’, ‘**.jpg*’, ‘**.php*’, ‘*Get-Content*’, ‘*\\cmd.bin*’, ‘*-raw*’] filename:[‘*\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive*’] filename:[‘*vcruntime140.dll’, ‘**.dll’])


index = archive AND (rg_functionality = “Microsoft Windows” AND ((@customstring54 ENDS WITH “powershell.exe” OR @customstring54 ENDS WITH “cmd.exe”) OR (@destinationprocessname ENDS WITH “powershell.exe” OR @destinationprocessname ENDS WITH “cmd.exe”)) AND (@resourcecustomfield3 CONTAINS “Invoke-WebRequest http” OR @resourcecustomfield3 = “**.jpg*” OR @resourcecustomfield3 = “**.php*” OR @resourcecustomfield3 CONTAINS “Get-Content” OR @resourcecustomfield3 CONTAINS “\cmd.bin” OR @resourcecustomfield3 CONTAINS “-raw”) AND (rawevent = “*\Users*\AppData\Local\Microsoft\OneDrive*”) AND (rawevent CONTAINS “vcruntime140.dll” OR rawevent = “**.dll*”))

Source: &

Previous articleRedLine Stealer returns with New TTPS – Detection & Response
Next articleBenefits of Game Outsourcing
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.


Please enter your comment!
Please enter your name here