North Korean Hackers Caught Using Malware With Microphone Wiretapping Capabilities

A hacking group linked to the North Korean government has been caught using new wiretapping malware in recent surveillance attacks, according to an advisory from cybersecurity firm AhnLab.

The APT, flagged as APT37, was seen using a Go-based backdoor that exploits the real-time data transfer and messaging platform Ably, and a previously unknown information stealer that has microphone wiretapping capabilities

AhnLab, based in South Korea, said it discovered the latest attacks in May 2023 and warned that the hackers are using a CHM (Compiled HTML Help File) payload disguised as a password, delivered via spear phishing emails that also carried a password-protected document, luring intended victims into executing the CHM file to view the document.

When opened, the CHM file displays a password and executes a malicious script via MSHTA. The script is a PowerShell backdoor that achieves persistence by registering a key registry, and which can execute commands received from the command-and-control (C&C) server.

The backdoor can exfiltrate file information, files, and compressed folders, can download files, edit registries, register task schedulers, modify file names, and delete files, AhnLab said.

The North Korean hackers were also seen escalating privileges, exfiltrating data, and deploying malware via a Go-based backdoor that uses the Ably platform service for data transfer.

Ultimately, the AblyGo backdoor and the PowerShell script were used to execute an information stealer in memory, AhnLab says. Dubbed FadeStealer, the malware can take screenshots, steal data from removable devices, and log keystrokes, but also has wiretapping capabilities.

“[APT37’s] primary focus is on information theft, and an info-stealer with a feature to wiretap microphones was discovered in this recent attack case. Unauthorized eavesdropping on individuals in South Korea is considered a violation of privacy and is strictly regulated under relevant laws. Despite this, the threat actor monitored everything victims did on their PC and even conducted wiretapping,” AhnLab added.

Also known as Group123, InkySquid, Reaper, RedEyes, and ScarCruft, the hacking team has documented links to the North Korean government and is known for the targeting of North Korean defectors, human rights activists, journalists, and policy makers, for surveillance purposes.

Related: North Korean Hackers Blamed for $35M Crypto Theft

Related: US, South Korea Detail North Korea’s Hacking Techniques

Related: Internet Explorer Zero-Day Exploited by North Korean Hackers