The North Korean state-sponsored advanced persistent threat (APT) group RedEyes (also known as APT37, ScarCruft and Reaper) has been observed targeting individuals using wiretapping malware.
The campaign was discovered by AhnLab Security Emergency Response Center (ASEC), which described it in an advisory published on Wednesday.
“In May 2023 [we] discovered the RedEyes group distributing and using an infostealer with wiretapping features that was previously unknown along with a backdoor developed using GoLang that exploits the Ably platform,” reads the blog post.
In this new campaign, RedEyes initiated their attacks through spear-phishing emails containing a Compiled HTML Help File (CHM) disguised as a password-protected document.
Read more on phishing attacks by this threat actor: South Korean Lures Used to Deploy ROKRAT Malware
Upon execution, the CHM file triggered the execution of a PowerShell backdoor, allowing the threat actors to maintain persistence and control over the compromised systems.
“Using CHM is an older tactic. However, it clearly still works, demonstrating that a lack of vigilance on the part of the victim remains the primary vulnerability,” commented John Bambenek, principal threat hunter at Netenrich.
ASEC also discovered that the group used the Ably platform, a real-time data transfer and messaging service, to send commands and receive data from the infected systems.
“Using the Ably platform is an interesting technique as it looks like it could be legitimate traffic, and as such, harder for a cyber team to detect,” commented Andrew Barratt, vice president at Coalfire.
“What's interesting is Ably is also known for operating at a significant scale, which would then allow for a mass campaign to be executed, perhaps with thousands of targets.”
The wiretapping feature found in the recently deployed infostealer enabled the threat actors to monitor the activities of victims.
ASEC said it is actively monitoring the RedEyes group’s activities and taking steps to mitigate further damage.
“Organizations should be aware of these hard-to-detect threats,” warned Nick Rago, field CTO at Salt Security.
“To identify suspicious activities, including suspicious network connections to unknown domains or destinations, organizations must ensure they have appropriate endpoint and network protections in place.”
More information about endpoint detection and response (EDR) tools is available in this analysis by security expert Robert Clyde.