Cyber Security Threat Summary:
“RedEyes, a state-sponsored APT group also known as APT37, ScarCruft, and Reaper, has been identified as targeting individuals such as North Korean defectors, human rights activists, and university professors. Their objective is to monitor the lives of specific individuals. In May 2023, AhnLab Security Emergency response Center (ASEC) discovered RedEyes distributing and utilizing an Infostealer with wiretapping capabilities and a GoLang-based backdoor that exploits the Ably platform. The backdoor allowed the threat actor to send commands through the Ably service, with the API key value required for communication stored in a GitHub repository. This key value allowed anyone with knowledge of it to subscribe to the threat actor's channel” (ASEC, 2023).

“The threat actor used a CHM file disguised as a password file in spear phishing emails to initiate their breach. When executed, the CHM file displayed password information while triggering the execution of a malicious script from the threat actor's C&C server. A malicious PowerShell script executed by MSHTA.exe uses a command to register itself as an autorun registry key, allowing malicious scripts to be executed from the threat actor’s C&C server even after system reboots and maintain persistence” (ASEC, 2023).

“The threat actor utilized a backdoor based on GoLang and the Ably platform service to carry out various stages of the attack and C2 infrastracture, including privilege escalation, exfiltration, and malware distribution. ASEC managed to obtain the authentication key for the threat actor's Ably channel, allowing them to view the commands sent to the targets. The backdoor accessed a GitHub repository to dynamically retrieve the authentication key, ensuring its frequent change and preventing unauthorized access” (ASEC, 2023).

“The backdoor communicated through the Ably channel, using messages named "UP" and "DOWN" to transmit and receive data, including command execution results. After establishing command and control, the threat actor proceeds to employ a privilege escalation technique known as T1546.015, specifically the Event Triggered Execution: Component Object Model Hijacking. This technique allows the threat actor to execute additional malware on the compromised system” (ASEC, 2023).

Security Officer Comments:
Attributing cyber actions to specific countries is challenging due to the nature of cyber warfare. Both South Korea and North Korea had active cyber capabilities and were implicated in cyber incidents targeting each other and other entities in the past. The motive of the threat actor in utilizing the FadeStealer Infostealer was to steal valuable information from the targeted systems. The Infostealer's features, such as capturing screenshots, exfiltrating data, keylogging, and wiretapping, indicated a focus on gathering sensitive and confidential information from the infected PCs. The stolen information could be used for various malicious purposes, including espionage, identity theft, financial fraud, or gaining a competitive advantage. The specific motive behind the theft of information may have varied depending on the objectives of the threat actor or the entities they were affiliated with, “The Info stealer, had various features such as taking screenshots, exfiltrating data from removable media devices and smartphones, keylogging, and wiretapping. Exfiltrated data and used an integrated RAR compression utility to compress the data at 30-minute intervals with a password. It also employed the split compression feature to limit each volume to a maximum of 1 GB if the compressed file exceeded that size” (ASEC, 2023).

Suggested Correction(s):
It is crucial for users to avoid opening files from unknown sources. This is particularly important considering the recent activities of the group, which involves utilizing malware disguised as CHM and LNK files to initiate their attacks. It is advised to exercise caution and pay close attention to file extensions before executing any email attachments. By being vigilant in this regard, individuals can protect themselves from potential harm.

Link(s):
https://asec.ahnlab.com/en/54349/