The North Korean state-sponsored hacking group APT37, aka ScarCruft, has reemerged with a new malware dubbed FadeStealer. The malware contains a wiretapping feature that allows the threat actor to eavesdrop on victims’ microphones. 

The FadeStealer campaign

According to ASEC researchers, FadeStealer was first spotted in May and was observed being distributed along with a Golang-based backdoor that exploits the Ably platform.
  • It is believed that phishing emails with attached password-protected Word and Hangul Word Processor documents and CHM files were used to propagate the backdoor in the first stage.
  • Apart from the ability to listen to private conversations of victims, the malware can steal a wide variety of information from Windows systems. This includes screenshots, logged keystrokes, and data from removable media devices.
  • The data stolen from the devices is stored in RAR archives before it is sent to the C2 server of attackers. 

Worth noting

ScarCruft is not the only North Korean APT utilizing CHM files to deploy malware. Recently, Kimsuky was found using CHM files to distribute RandomQuery malware. This enabled the attackers to trick unsuspecting users into believing that they were opening a Microsoft Compiled HTML Help (CHM) file, without realizing that they were actually downloading malware.

Newly found info-stealers raise concern

While the FadeStealer info-stealer is a recent discovery, there have been many such new info-stealers spotted by different security research groups. 
  • A cyberespionage operation deploying RDStealer on systems in East Asia was observed by Bitdefender Labs. The malware was used to steal data from drives through RDP connections. 
  • Trellix shared details about a new Golang stealer, named Skuld, that compromised a wide range of operating systems worldwide.
  • Cyfirma and Zscaler published two simultaneous reports on the new Mystic Stealer that targeted a wide range of applications and platforms. These included 40 web browsers, 70 browser extensions, 21 cryptocurrency applications, 9 MFA and password management applications, 55 cryptocurrency browser extensions, as well as Steam and Telegram credentials.

The bottom line

The emergence of new info-stealers highlights that this kind of malware will continue to attract the attention of threat actors as they enable easy access to victim machines and steal a wide range of sensitive information. Therefore, it is important for organizations to understand distribution methods and other capabilities to enhance their detection and protection capabilities.
Cyware Publisher

Publisher

Cyware