APT37 Exploited Messaging App to Plant Wiretapping MalwareState-Sponsored Group Found Backdoor Using Ably's Instant Messaging Function
North Korean hacking group APT37 exploited a data transfer and messaging application to inject info-stealing malware with wiretapping capabilities into the devices of targeted individuals in South Korea.
The state-backed cybercrime group, also known as ScarCruft and Reaper, primarily employs spear-phishing to compromise the devices of targeted South Korea-based individuals, defectors and human rights activists. The group in May used the same technique to inject wiretapping malware using a backdoor that exploited Ably, a commercial instant messaging, data synchronization and data transfer application.
Researchers at the South Korean AhnLab Security Emergency Response Center on Wednesday reported that APT37 had used a combination of a decoy document, a Compiled HTML Help File, an info-stealing malware that could wiretap microphones, and a backdoor written in GoLang to spy on targeted victims.
The threat group emailed victims a password-protected decoy Word document and a malicious CHM file disguised as a password file. When executed, the CHM file displayed the password but also executed a PowerShell malware that maintained persistence through the use of an autorun registry key.
The malware communicated with a command-and-control server and performed actions such as compressing folders in a specific path and sending the compressed files to the command and control server, downloading specific files to a path, renaming or deleting specific files, and relaying system information to the command-and-control server.
APT37 also deployed a backdoor that used Ably's real-time messaging function to receive messages from the command-and-control server. The backdoor enabled the hackers to perform later-stage privilege escalation, exfiltration and malware distribution. Cybersecurity company Sekoia in March warned about this APT group exploiting Ably to bypass two-factor authentication and run a browser automation script in infected devices.
According to ASEC researchers, once the AblyGo backdoor is executed on an infected device, APT37 determines the ID of the device and sends additional commands via CMD to execute additional malware and also a fileless info-stealer malware, dubbed FadeStealer by ASEC, which is capable of taking screenshots, logging keystrokes, exfiltrating data and wiretapping microphones.