The state-sponsored RedEyes group — aka APT37, ScarCruft and Reaper — was observed recently using an infostealer that targets North Korean defectors, human rights activists and university professors.
In a blog post June 21, the AhnLab Security Emergency Response Center (ASEC) reported that the infostealer had wiretapping features that were previously unknown, along with a backdoor developed using Golang that exploits the Ably platform.
Developers use Ably for real-time data transfer and messaging. It can also perform publish/subscribe messaging, push notifications and real-time queries.
The ASEC researchers said APT37 has been primarily focused on information theft, monitoring everything victims did on their PCs and conducting wiretapping.
“The threat actor carried out their attack cleverly and precisely by employing spear phishing emails to gain access to target systems and using an Ably channel as a command-and-control server,” said the researchers. “Users must refrain from opening files from unknown sources to prevent themselves from being harmed. Especially now since the group in question has recently been using malware based on CHM and LNK extensions to perform their initial breach, extra attention should be given to the file extensions when executing email attachments.”
The use of a password.chm file leverages the potential that a system has file extensions hidden, the likelihood a victim would assume the password is required to open, and that victims are unlikely to look too closely at unfamiliar file formats, explained Melissa Bischoping, director, endpoint security research at Tanium. While still a functional format, Bischoping said the chm format has largely been replaced with links to websites that render in the browser.
“Threat actors love to live-off-the-land with existing capabilities and tooling that are often associated with legacy functionality,” said Bischoping.
She suggested baselining normal and abnormal use of filetypes and legacy capabilities, and using that information to build technical controls that prevent execution from non-approved applications or file types to defend against such attacks.
“Additionally, education is a powerful weapon," Bischoping added. "Train users on best practices of inspecting file types before opening, especially when files are sent via email or downloaded from the internet.”
APT37, a North Korean state sponsored espionage group active since 2012, has been well-observed over the years, pointed out Andrew Barratt, vice president at Coalfire. Barratt said the help file dropper is certainly at the lower end of their technical expertise and a common approach when spearphishing.
“Using the Ably platform is an interesting technique as it looks like it could be legitimate traffic, and as such, harder for a cyber team to detect,” said Barratt. “What’s interesting is Ably is also known for operating at significant scale, which would then allow for a mass campaign to be executed, perhaps with thousands of targets.”
Nick Rago, Field CTO at Salt Security, said they often relate API-first design principles and application modernization initiatives to commercial organizations that are innovating the apps that consumers and businesses rely on daily. However, Rago said his team has also seen several threats recently where cyber criminals have leveraged API-first principles using the Ably framework for command and control capabilities in their attack campaigns.
“Organizations should be aware of these hard-to-detect threats,” said Rago. “To identify suspicious activities, including suspicious network connections to unknown domains or destinations, organizations must ensure they have appropriate endpoint and network protections in place.”