Browser Bugs Exploited to Install 2 New Backdoors on Targeted Computers

Posting ID 127964
Date Added: 11/6/2020 7:18 AM EST
Date Modified: 11/6/2020 7:18 AM EST
Atonial Hyatt | E-ISAC Staff



On October 30th, 2020 the hacker News website published an article about a browser bug being exploited that will create multiple backdoors on targeted computers with in an organization. Cybersecurity researchers have divulged details about a new cyberattack called Watering hole that’s targeting the Korean diaspora that capitalizes on the vulnerabilities in web browsers such as Google Chrome and Internet Explorer to deploy malware for espionage purposes. The Campaign dubbed “Operation Earth Kitsune” involves the use of SLUB which is a word dissected from (Slack and githUB) malware and two new backdoors – dneSpy and agfSpy to infiltrate systems information and again additional control of the compromised devices.


Watering hole attacks allow a bad actor to compromise a targeted business by yielding a carefully selected website by inserting an exploit with the intention to gain access to the targets device and infect it with malware. This campaign is very comprehensive in deploying numerous samples to the duped machines and using multiple command and control servers during this operation. Five C&C servers are utilized in this campaign designed to cavort systems that have security software installed on them as a means to thwart detection. The attack arms an already patched Chrome vulnerability (CVE-2019-5782) that permits an attacker to execute arbitrary code inside a sandbox via a specially crafted HTML page.

DneSpy and agfSpy which is the fully functional espionage backdoors utilizes the same process to attack a computer system. With a few other steps that are taken to make sure the backdoor is set on the device. Once connected to the server the dropper is received and completes it check for the anti-malware solution, once verified the three backdoor samples are executed in the form of a jpg. One change from previous versions of this attack is the use of Mattemost server to keep track of the deployment across multiple infected machines. An individual channel for each device is created to retrieve the collected information from the infected host.

These two backdoors collect information, capture screenshots and download and execute malicious commands received from the C&C servers. The results is then zipped, encrypted and filtrated to the servers. Operation Earth Kitsune according to researchers is complex and prolific thanks to the variety of components it uses and its interactions with infected devices.

In conclusion it looks to be like a group is behind this operation due to the custom codes that are implemented. This group has been very active throughout this year according to different cybersecurity firms especially in the months of March, May and September.



The E-ISAC has not established a specified threat to the electricity community based upon this attack at the moment, however, if a member experiences adversarial action based upon this information, or any other vulnerability, contact the E-ISAC Watch Operations Team, and create a Portal Post for instant community awareness.




Category Type:
Cyber Security
TLP - White
Shared Count (15)
  • Canadian CERTs
  • CRISP - Cyber Risk Info Sharing Program
  • DOE Complex
  • E-ISAC AOO Members
  • E-ISAC Staff
  • FBI, LE Fusion
  • FERC - OEIS, etc
  • International (other ISACs, CERTs)
  • Other (inc. local/state commissions)
  • Trade Organizations
  • Watch Floor