iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Hackers backed by the North Korean government have been observed using wiretapping malware as part of a campaign of surveillance attacks.
South Korean cyber security firm AhnLab said that the advanced persistent threat (APT, or in this case, APT37) was discovered most recently in May this year and that the malware was being delivered via spear phishing email with a password-protected document, alongside a CHM (Compiled HTML Help File) disguised as the password for it.
When the CHM is opened, a malicious PowerShell backdoor is injected and launched, allowing it to execute commands received from the command-and-control server.
This allows hackers to collect files and file information, as well as edit registries, modify file names, delete files, download files and more. In addition, AhnLab observed the hackers deploying malware using a Go-based backdoor via the Ably platform service for data transfer, as well as escalating their privileges and exfiltrating data.
AhnLab adds that the PowerShell script and Go-based backdoor were used to execute an information stealer known as FadeStealer, which is capable of logging keystrokes, stealing removable device data, taking screenshots and, of course, wiretapping.
“[APT37’s] primary focus is on information theft, and an info stealer with a feature to wiretap microphones was discovered in this recent attack case,” said AhnLab.
“Unauthorised eavesdropping on individuals in South Korea is considered a violation of privacy and is strictly regulated under relevant laws.
“Despite this, the threat actor monitored everything victims did on their PC and even conducted wiretapping.”
The APT37 hacking group, also known as RedEyes, ScarCruft or Reaper, is a state-sponsored group known for targeting individual victims that act against the North Korean government’s regime, such as human rights activists, university professors and North Korean defectors, according to AhnLab.
“Their task is known to be monitoring the lives of specific individuals,” it added.
AhnLab said that the attack launched by APT37 was carried out “cleverly and precisely” and that the spear phishing techniques the attacker used are difficult to detect by individuals. As a result, the cyber firm has said that it is maintaining close surveillance on the hacking group’s activities to “prevent further damage”.
The firm has also advised that users remain vigilant with files from unknown sources and that additional caution should be exercised with files using the CHM and LNK extensions.
“Since the group in question has recently been using malware based on CHM and LNK extensions to perform their initial breach, extra attention should be given to the file extensions when executing email attachments,” said AhnLab.
As the file extensions for these types are hidden by default, users should disable the “Hide Extensions for known file types” setting in their file explorer.
Be the first to hear the latest developments in the cyber industry.
