Table of Contents
North Korean Hacking Group Exploits Wiretapping Capabilities with New Malware: A cybersecurity firm has discovered that a hacking group connected to the North Korean government is utilizing new wiretapping malware in recent surveillance attacks.
This development raises concerns about privacy violations and underscores the group’s focus on information theft.
Key Takeaways to North Korean Hacking Group Exploits Wiretapping Capabilities with New Malware:
- APT37, a North Korean hacking group, has been found using wiretapping malware with microphone surveillance capabilities.
- The group employed a CHM payload disguised as a password in spear-phishing emails to distribute the malware.
- AhnLab’s discovery reveals the group’s focus on information theft and its violation of privacy regulations.
AhnLab, a South Korean cybersecurity firm, has revealed that an APT group known as APT37, with aliases including Group123, InkySquid, Reaper, RedEyes, and ScarCruft, has been involved in recent surveillance attacks employing wiretapping malware.
This hacking team, with documented links to the North Korean government, has a history of targeting North Korean defectors, human rights activists, journalists, and policymakers for surveillance purposes.
APT37’s Wiretapping Malware Leveraging Ably and CHM Payload
The recent attacks discovered by AhnLab in May 2023 uncovered the use of a Go-based backdoor by APT37, which exploits the Ably platform for real-time data transfer.
Additionally, the group employed a previously unknown information stealer with microphone wiretapping capabilities. Spear phishing emails carrying a password-protected document and a CHM (Compiled HTML Help File) payload were used to lure victims into executing the malicious CHM file.
Execution of the Wiretapping Malware and Persistence Mechanisms
When the CHM file is opened, it displays a password and triggers a malicious script using MSHTA. This PowerShell backdoor achieves persistence by registering a key registry and can execute commands received from the command-and-control (C&C) server.
The backdoor possesses various capabilities such as exfiltrating file information, downloading files, modifying registries, and deleting files.
The Role of AblyGo Backdoor and the Information Stealer
APT37 also leveraged a Go-based backdoor, utilizing the Ably platform service for data transfer, to escalate privileges, exfiltrate data, and deploy malware.
Ultimately, the AblyGo backdoor and the PowerShell script were utilized to execute an information stealer named FadeStealer. This malware, apart from stealing data from removable devices, capturing screenshots, and logging keystrokes, includes wiretapping functionalities.
Conclusion
The discovery of APT37’s utilization of wiretapping capabilities through new malware highlights the group’s persistent targeting of individuals and organizations for surveillance purposes.
This development raises concerns about privacy violations and underscores the importance of robust cybersecurity measures to protect against such threats.