RedEyes APT

A group of hackers from North Korea, known as RedEyes (aka APT37, ScarCruft, and Reaper), has recently been identified by the researchers at AhnLab Security using a new info-stealer that is dubbed “FadeStealer.”

FadeStealer comes with an exceptional feature that enables threat actors to listen in and capture audio through the victims’ microphones, and this feature is dubbed ‘wiretapping.’

Since at least 2012, RedEyes has been known to be active, and it’s a state-sponsored APT group that is affiliated with North Korea’s Ministry of State Security (MSS).

Cyber Security News reported another incident about RedEyes Hacking Group (aka APT37) for its cyber espionage activities, which has recently adopted a new tactic in its efforts to collect intelligence from targeted individuals. 

This hacking group has been known for its long-standing involvement in cyber espionage attacks that are aligned with the interests of North Korea, and its focus areas include:-

  • North Korean traitors
  • Educational institutions
  • EU-based organizations

Attack Flow

The initial breach was executed by the threat actor through the use of a CHM file. Targets were likely tricked with spear phishing emails containing password-protected documents and hidden malware disguised as a password file.

ASEC thinks the phishing emails urge people to open the CHM file to get the document password, which infects their Windows computer.

The CHM file secretly downloads a PowerShell script and shows a fake password for the document when it’s opened. Once Windows boots up, the hand operates as a backdoor and starts running automatically.

RedEyes APT

By connecting with the command and control servers operated by the attackers, the PowerShell backdoor receives and carries out commands sent by them.

In the later phases of the attack, the backdoor serves the purpose of deploying an additional GoLang backdoor. This secondary backdoor enables activities such as:-

  • Privilege escalation
  • Data theft
  • Delivery of further malware

Along with the FadeStealer researchers also found a custom malware, “AblyGo backdoor” that is used by the threat actors.

AblyGo backdoor uses the platform of API service provider, Ably which operates as a command and control platform used by the threat actors.

Through this platform, base64-encoded commands are sent to the backdoor for execution, while any resulting output is received and later retrieved by the threat actors.

By acquiring the Ably API key used by the backdoor, ASEC managed to monitor specific commands that the threat actors execute, Researchers said.

Deployment of FadeStealer

In the end, the backdoors install ‘FadeStealer,’ a type of malware that steals different information from Windows devices.

With the help of DLL sideloading into the ‘ieinstall.exe,’ a legit Internet Explorer process, the FadeStealer is injected after the installation.

RedEyes APT

Besides this, every 30 minutes, it also extracts the data from the device and then stores them in RAR archives.

Here below we have mentioned the types of data it steals:-

  • Screenshots
  • Logged keystrokes
  • Files collected from connected smartphones
  • Files collected from connected removable devices
  • Microphone wiretapping

Moreover, multiple North Korean threat actors utilize CHM files to distribute malware, and RedEyes (aka APT37, ScarCruft, and Reaper) is just one of them.

Manage and secure Your Endpoints EfficientlyFree Download

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.