North Korean Hackers Utilize New Malware With Wiretapping Functionality, Warn Cybersecurity Experts

A malicious infostealer dubbed as FadeStealer was recently discovered by researchers at AhnLab. The malware is capable of wiretapping, stealing data from smartphones and removable media devices, keylogging as well as capturing screenshots and is being utilized by a state-sponsored threat actor from North Korea.

The threat actor identified as APT37, also known as RedEyes, ScarCruft, and Reaper generally carries out monitoring activities, targeting human right activists, North Korean defectors, and university professors.

The group’s latest attack was discovered by South Korea-based AhnLab in May 2023, where they noticed the North Korean threat group APT37 use a malware with a previously undiscovered wiretapping capability. To exfiltrate data, it has a backdoor functionality that uses the Ably platform (a real-time data transfer and messaging platform) and has been developed using the cross-platform program GoLang.

The campaign saw RedEyes use the spear-phishing email tactic, in which the threat actor used a CHM (Compiled HTML Help File) file disguised as a password-protected document. Once executed, the CHM file not only reveals a password but also causes the deployment of a malicious file from a threat actor controlled C2 server. The script identified as PowerShell malware has backdoor functionality. PowerShell malware is known to maintain persistence via an autorun registry key that allows commands to be executed by a hacker controlled C2 server.

The primary focus of the threat actors is stealing information, for which they stealthily carried out the attack to gain access to targeted systems. ‘’These sorts of attacks are difficult for individuals to notice. As such, ASEC is closely tracking the activities of the RedEyes group and responding promptly to prevent further damage,’’ the advisory stated.

To mitigate the risk of cyberattacks, AhnLab experts also recommended users to be vigilant and exercise caution when opening emails or files from unknown sources. The increasing use of infostealer malware and phishing campaigns, makes it imperative that users monitor their accounts in order to identify and mitigate any security threat.