HQ/EMEAFind out how we can help your business
ScarCruft, a North Korean hacker group, has been using information stealer malware written on the Go language with wiretapping capabilities to spy on targeted entities. Based on reports, this malicious threat group utilised the malware by exploiting the Ably real-time messaging service.
The initial attack from the threat actors starts by sending their commands through the Golang backdoor that uses the Ably service. Moreover, the threat actors saved the API key value for command communication in a GitHub repository.
ScarCruft is another North Korean-backed cybercriminal group that has been operating for more than a decade already.
According to researchers, ScarCruft is one of North Korea’s Ministry of State Security-sponsored threat groups. Researchers first recorded the attack of this group in 2012, and it remained active for over a decade.
The group commonly starts their attack chain using a spear-phishing lure to launch RokRAT. However, researchers claimed that the threat group had used many malware strains besides the earlier-mentioned strain.
In one of the recent attacks from the group observed by the researchers, the emails used by the actors contained an MS Compiled HTML Help file. Once a target clicks the archive, they will contact a remote server to download a Chinotto PowerShell.
The Chinotto PowerShell payload could retrieve additional malware and be a tool for establishing persistence. However, its most prominent tool is a backdoor called AblyGo which exploits the Ably API service for C2.
Furthermore, the malware could use AblyGo as a conduit to ultimately run an information stealer malware called FadeStealer. This malware could execute various capabilities, such as capturing screenshots, harvesting data from removable smartphones and media, logging keystrokes, and recording audio from microphones.
The North Korean state-sponsored threat groups have executed several cybercriminal activities for several months. Earlier this year, the RedEyes group from the DPRK targeted North Korean defectors, university professors, and human rights activists with infostealer malware. This campaign aims to harvest essential information that could benefit the North Korean government.
With the increase of information stealing campaigns and eavesdropping by threat actors, users should be wary of downloading or accessing files that could lead to an infection that could allow an attacker to spy.
