ScarCruft Hackers Exploit Ably Service for Stealthy Wiretapping Attacks

The North Korean hacking group ScarCruft, which is believed to be sponsored by the North Korean Ministry of State Security (MSS), has recently been observed using a new form of malware designed to steal information. This malware includes previously unknown wiretapping capabilities and a backdoor created using the programming language Golang, exploiting the Ably real-time messaging service.

According to a technical report from the AhnLab Security Emergency response Center (ASEC), ScarCruft utilized the Golang backdoor to send commands, utilizing the Ably service. The necessary API key for command communication was found stored in a GitHub repository.

ScarCruft has been active since at least 2012 and is known for its spear-phishing tactics and use of various custom tools to gather sensitive data. In a recent attack detected by ASEC in May 2023, the group employed a Microsoft Compiled HTML Help (.CHM) file sent via email. When the file was opened, it connected to a remote server to download a PowerShell-based malware called Chinotto. Chinotto not only establishes persistence but also retrieves additional payloads, including a backdoor named AblyGo (also known as SidLevel by Kaspersky) that exploits the Ably API service for command-and-control purposes.

Additionally, the AblyGo backdoor serves as a pathway for executing a malware known as FadeStealer, which is specifically designed to steal information. FadeStealer possesses various functionalities, including capturing screenshots, extracting data from removable devices and smartphones, logging keystrokes, and recording audio using the microphone.

According to ASEC, the RedEyes group is responsible for these attacks, specifically targeting individuals such as North Korean defectors, human rights activists, and university professors. Their main objective revolves around stealing information.

It is important to note that unauthorized surveillance of individuals in South Korea is considered a violation of privacy and is strictly regulated by relevant laws. Despite these regulations, the threat actor managed to monitor all activities performed by the victims on their computers and even engaged in wiretapping activities.

Not only ScarCruft, but other North Korea-affiliated groups like Kimsuky have also utilized CHM files in their operations. Recently, SentinelOne disclosed a campaign by Kimsuky that employed CHM files to deliver a reconnaissance tool called RandomQuery.

ASEC has identified a new series of attacks where CHM files are configured to drop a BAT file. This BAT file is then used to download further malware and extract user information from the compromised host.

Spear-phishing has been Kimsuky’s preferred method of initial access for over a decade. The group conducts extensive research and meticulous preparation before launching their attacks, as noted in an advisory from U.S. and South Korean intelligence agencies.

These findings are consistent with the Lazarus Group’s activities, which involve actively exploiting security vulnerabilities in widely used software such as INISAFE CrossWeb EX, MagicLine4NX, TCO!Stream, and VestCert. The Lazarus Group employs these tactics to breach companies in South Korea and deploy malware.