A North Korean threat actor known as ScarCruft has been observed using information-stealing malware with previously undocumented wiretapping features as well as a backdoor developed using Golang that exploits real-time messaging service Ably.
“Threat actors transmit their commands through the backdoor of Golang using the Ably service,” AhnLab’s Security Emergency Response Center (ASEC) said in technical reports. “The API key values required for command communication are stored in the GitHub repository.”
ScarCruft is a state-sponsored organization with ties to North Korea’s Ministry of State Security (MSS). It is known to be active since at least 2012.
The chain of attack set up by the group requires the use of spear-phishing bait to deliver the RokRAT, although it has utilized various other specialized tools to harvest sensitive information.
In the latest intrusion detected by ASEC, the email comes with a Microsoft Compiled HTML Help (.CHM) file — a tactic first reported in March 2023 — that, when clicked, contacts a remote server to download PowerShell malware known as Chinotto .
Chinotto, in addition to being responsible for setting up persistence, took on additional payloads, including a backdoor codenamed AblyGo (aka SidLevel by Kaspersky) that abused Ably for command-and-control.
It didn’t end there though, as AblyGo was used as a conduit to eventually execute an information-stealing malware dubbed FadeStealer that came packed with features to take screenshots, gather data from removable media and smartphones, log keystrokes, and record microphones.
“The RedEyes group carried out attacks against certain individuals such as North Korean defectors, human rights activists, and university professors,” ASEC said. “Their primary focus is information theft.”
“Unlawful eavesdropping on individuals in South Korea is considered an invasion of privacy and strictly regulated under relevant laws. Despite this, threat actors monitor everything victims do on their PCs and even carry out wiretapping.”
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
CHM files have also been used by other North Korea-affiliated groups such as Kimsuky, with SentinelOne revealing a recent campaign leveraging the file format to provide a reconnaissance tool called RandomQuery.
In a new series of attacks discovered by ASEC, the CHM file is configured to drop the BAT file, which is then used to download the next stage of malware and extract user information from the compromised host.
Spear-phishing, which has been Kimsuky’s favored early-access technique for more than a decade, is usually preceded by extensive research and careful preparation, according to advisers from US and South Korean intelligence agencies.
The findings also follow the Lazarus Group active exploitation security flaws in such software INISAFE CrossWeb EX, MagicLine4NX, TCO! StreamAnd VestCert which is widely used in South Korea to break into companies and spread malware.