North Korean hacking group APT37 uses new information-stealing malware ‘FadeStealer’ containing ‘eavesdropping’ feature, allowing threat actor to spy and record from microphones the victims.

APT37, also known as StarCruft, Reaper or RedEyes, is considered a state-sponsored hacking group with a long history of cyber espionage attacks aligned with North Korean interests. These attacks target North Korean defectors, educational institutions and organizations based in the EU.

In the past, hackers have been known to use custom malware called “Dolphin‘ And ‘M2RAT‘ to execute commands and steal data, credentials and screenshots from connected Windows devices and even mobile phones.

It starts with a CHM file

In a new report from the AhnLab Security Emergency Response Center (ASEC), researchers provide information on new custom malware called “AblyGo backdoor” and “FadeStealer” that threat actors are using in cyber espionage attacks.

The StarCruft Attack Stream
The StarCruft Attack Stream
Source: ASEC

The malware is believed to be delivered using phishing emails with attached archives containing password-protected Word and Hangul Word documents (.docx and .hwp files) and a Windows CHM file “password .chm”.

ASEC believes that the phishing emails ask the recipient to open the CHM file to get the documents password, which triggers the infection process on the Windows device.

Once the CHM file is opened, it displays the assumed password to open the document, but also quietly downloads and runs a remote PowerShell script that contains backdoor functionality and is registered to start automatically with Windows.

This PowerShell backdoor communicates with the attackers’ command and control servers and executes all commands sent by the attackers.

The backdoor is used to deploy an additional GoLang backdoor that is used in later stages of the attack to perform privilege escalation, data theft, and distribution of other malware.

This new backdoor is called “AblyGo backdoor”, because it uses the Ably platforman API service that allows developers to deploy real-time functionality and stream information into their applications.

Threat actors use ABLY as a command and control platform to send base64 encoded commands to the backdoor to execute and then receive any output, where the threat actors later retrieve it.

Since it is a legitimate platform, it is probably used by threat actors to evade network monitoring and security software.

ASEC gained access to the Ably API key used by the backdoor and was able to monitor some of the commands issued by the attackers. These commands illustrated how hackers used the backdoor to list files in a directory, rename a fake .jpg file to an .exe file, and then run it.

However, it is technically possible for the threat actor to send any command they wish to execute.

FadeStealer listens to your device

Ultimately, the backdoors deploy a final payload in the form of “FadeStealer”, an information-stealing malware capable of stealing a wide variety of information from Windows devices.

Once installed, FadeStealer is injected using DLL sideloading into the legitimate Internet Explorer process “ieinstall.exe” and starts stealing data from the device and storing it in RAR archives every 30 minutes.

Data includes screenshots, recorded keystrokes, files collected from connected smartphones and removable devices. The malware also includes the ability to record audio from a connected microphone, allowing threat actors to eavesdrop on conversations.

This data is collected in the following %Temp% folders:

Folder path Exfiltrated data
%temp%\VSTelems_Fade\NgenPdbc Screenshot
%temp%\VSTelems_Fade\NgenPdbk Keylogging
%temp%\VSTelems_Fade\NgenPdbm microphone wiretapping
%temp%\VSTelems_FadeIn Smartphone data collection
%temp%\VSTelems_FadeOut Removable media device

Threat actors can then analyze this collected data to steal sensitive information for use by the North Korean government or carry out other attacks.

APT37 is not the only North Korean player to use CHM files to deploy malware.

ASEC too reported today that the state-sponsored hacking group Kimsuky uses CHM files in phishing attacks to deploy malicious scripts that steal user information and install additional malware.

“If you look at the overall attack flow in this case, the threat actor carried out their attack intelligently and precisely using spear phishing emails to gain access to target systems and using an Ably channel as a command server. and control,” concluded the researchers.

“These kinds of attacks are hard for individuals to notice.”

Source link