In recent cybersecurity developments, the North Korean threat actor known as ScarCruft has been identified deploying sophisticated information-stealing malware with previously undocumented wiretapping features. The AhnLab Security Emergency Response Center (ASEC) discovered that ScarCruft utilized a backdoor developed using Golang, exploiting the Ably real-time messaging service.
The threat actor employed the Golang backdoor to send commands, storing the necessary API key value for command communication in a GitHub repository. ScarCruft, identified as a state-sponsored outfit linked to North Korea’s Ministry of State Security (MSS), has been active since at least 2012. The attack chains orchestrated by ScarCruft involve spear-phishing lures to deliver RokRAT, a known custom tool for harvesting sensitive information. In a May 2023 intrusion detected by ASEC, ScarCruft utilized a Microsoft Compiled HTML Help (.CHM) file, which, when opened, initiated the download of a PowerShell malware named Chinotto.
Chinotto set up persistence, retrieved additional payloads, and introduced a backdoor codenamed AblyGo, exploiting the Ably API service for command-and-control. AblyGo then served as a conduit for executing FadeStealer, an information stealer malware equipped with features such as taking screenshots, gathering data from removable media and smartphones, logging keystrokes, and recording the microphone. The RedEyes group, identified as ScarCruft, specifically targets individuals like North Korean defectors, human rights activists, and university professors, with a primary focus on information theft. Despite strict regulations against unauthorized eavesdropping in South Korea, ScarCruft’s wiretapping activities violate privacy laws. Additionally, CHM files have been used by other North Korea-affiliated groups like Kimsuky, indicating a broader trend of cyber threats from the region. These findings underscore the increasing sophistication of state-sponsored cyber threats and the ongoing efforts by such groups to exploit vulnerabilities for espionage and data theft.
Reference:
