FadeStealer

The hacking group APT37 also referred to as StarCruft, Reaper, or RedEyes, has recently been observed using a newly discovered information-stealing malware called FadeStealer. This sophisticated malware incorporates a 'wiretapping' capability, enabling the threat actors to intercept and record audio from victims' microphones secretly.

APT37 is widely believed to be a state-sponsored hacking group with a significant track record of conducting cyberespionage operations aligned with the interests of North Korea. Their targets have included North Korean defectors, educational institutions, and organizations based in the European Union.

In previous campaigns, this group has employed custom-made malware such as 'Dolphin' and 'M2RAT' to carry out their cyber attacks. These threatening tools were specifically designed to infiltrate Windows devices, including connected mobile phones, and facilitate various malicious activities such as command execution, data theft, credential harvesting, and capturing screenshots.

A Custom Backdoor Malware Delivers The FadeStealer Threat

Security researchers have recently uncovered details about another custom malware used in attacks by APT37, known as the AblyGo backdoor. Alongside FadeStealer, these unwanted tools are designed to infiltrate targeted systems and facilitate various harmful activities.

The initial delivery method of this malware involves phishing emails that contain attached archives. These archives consist of password-protected Word and Hangul Word Processor documents (.docx and .hwp files), along with a 'password.chm' Windows CHM file. It is highly likely that the phishing emails instruct the recipients to open the CHM file to obtain the password required to unlock the documents. However, unbeknownst to the victims, this action triggers the infection process on their Windows devices.

Upon opening the CHM file, a deceptive prompt will display the alleged password to unlock the documents. Simultaneously, the file discreetly downloads and executes a remote PowerShell script, which serves as a backdoor with advanced functionality. This PowerShell backdoor establishes communication with the attackers' Command-and-Control (C2) servers, enabling them to execute commands on the compromised system remotely.

Furthermore, the backdoor facilitates the deployment of an additional backdoor known as the 'AblyGo backdoor' during the later stages of the attack. This new backdoor leverages the Ably Platform, an API service that developers utilize to incorporate real-time features and information delivery into their applications. By utilizing the Ably Platform as a C2 platform, the threat actors can send base64-encoded commands to the backdoor for execution and receive the output. This approach allows them to obfuscate their malicious activities within legitimate network traffic, making it more challenging to detect and monitor their operations.

The 'AblyGo backdoor' plays a crucial role in the cyber espionage campaign, enabling the threat actors to conduct privilege escalation, exfiltrate sensitive data, and deliver additional malware components. By utilizing legitimate platforms like Ably, the threat actors aim to evade network monitoring and security software, thereby increasing the effectiveness of their attacks.

The Threatening Capabilities Found in the FadeStealer Threat

The backdoors ultimately deliver FadeStealer as a final payload. The threat is a highly potent information-stealing malware designed specifically for Windows devices. Once installed, FadeStealer employs a technique called DLL sideloading to inject itself into the legitimate 'ieinstall.exe' process of Internet Explorer, effectively camouflaging its presence.

FadeStealer operates stealthily in the background, discreetly harvesting a wide range of sensitive information from the compromised device. At regular intervals of 30 minutes, the malware captures screenshots of the victim's screen, records logged keystrokes, and gathers files from any connected smartphones or removable devices. Furthermore, FadeStealer possesses the capability to record audio through the device's microphone, allowing the threat actors behind the attack to eavesdrop on conversations and gather additional intelligence.

The collected data is stored in specific %Temp% folders, each serving a distinct purpose within the data exfiltration process. Screenshots taken by the malware are stored in the %temp%\VSTelems_Fade\NgenPdbc folder, while logged keystrokes are stored in %temp%\VSTelems_Fade\NgenPdbk. The %temp%\VSTelems_Fade\NgenPdbm folder is dedicated to storing data obtained through microphone wiretapping. Additionally, the %temp%\VSTelems_FadeIn folder is utilized for collecting data from connected smartphones, while the %temp%\VSTelems_FadeOut folder serves as the storage location for data gathered from removable media devices. These specific folders ensure that the collected data is organized and accessible to the threat actors orchestrating the cyber espionage campaign.

To maintain efficiency and facilitate data storage, FadeStealer collects the stolen information in RAR archive files. This enables the malware to compress and organize the pilfered data, ensuring that it remains concealed and easily transportable for subsequent exfiltration by the threat actors.