The North Korean government-backed Advanced Persistent Threat (APT) group RedEyes (also known as APT37, ScarCruft, and Reaper) has been observed using sniffing malware to target individuals.
The campaign was discovered by the AhnLab Security Emergency Response Center (ASEC) and described in an advisory published Wednesday.
“In May 2023 [we] We have discovered that the RedEyes group is distributing and using an infostealer with previously unknown eavesdropping capabilities along with a backdoor developed using GoLang that exploits the Ably platform. ,” the blog post said.
In this new campaign, RedEyes launched its attacks through spear-phishing emails containing compiled HTML help files (CHM) masquerading as password-protected documents.
For more information on phishing attacks by this threat actor, see South Korean lures used to deploy ROKRAT malware.
When the CHM file is executed, it triggers the execution of a PowerShell backdoor, allowing the threat actor to maintain persistence and control over the compromised system.
“The use of CHM is an old tactic, but it is clear that it still works, indicating that lack of vigilance on the part of the victim is still a key vulnerability,” said Netenrich’s lead threat. Hunter John Bambenek commented:
ASEC also discovered that the group was using the Ably platform, a real-time data transfer and messaging service, to send commands and receive data from infected systems.
“The use of the Ably platform is an interesting tactic as it can be legitimate traffic that is difficult for cyber teams to detect,” commented Andrew Barratt, Vice President of Coalfire.
“Interestingly, Ably is also known to operate at scale, which will likely allow it to run large-scale campaigns with thousands of targets.”
Eavesdropping capabilities found in recently introduced infostealers have allowed attackers to monitor victim activity.
ASEC said it was actively monitoring Red Eyes Group’s activities and taking steps to mitigate further damage.
“Organizations need to be aware of these hard-to-detect threats,” warns Nick Rago, field CTO at Salt Security.
“To identify suspicious activity, such as suspicious network connections to unknown domains or destinations, organizations must ensure they have appropriate endpoint and network protections in place.”
More information on endpoint detection and response (EDR) tools is available in this analysis by security expert Robert Clyde.
