07 December 2023

APT37 hackers deploy new FadeStealer eavesdropping malware

According to information dated June 21st, 2023, the North-Korean group APT37 has been observed using a new FadeStealer malware for information stealing. This group is active since 2012 and has primarily targeted public and private sectors in South Korea and EU-based entities to support North Korea’s strategic military, economic and political interests.

The AhnLab Security Emergency Response Center provided information about new features in the FadeStealer malware relies on spearphishing emails that contain a password-protected Word document and a ‘password.chm’ Windows CHM file. The CHM file serves to download and execute a PowerShell script that contains a first backdoor that enables the attacker to establish a communication line with its C2 servers. A second backdoor is deployed, called AblyGo backdoor, that contributes to privilege escalation, data theft and the delivery of the malware. Fadestealer then serves to steal data, such as keystrokes, filles from connected smartphones and removable devices or audio from connected microphone and store them in RAR archives every 30 minutes.

The use of CHM files to deploy malware is a technique used by several North Korean threat groups, such as Kimsuky, to deploy malicious scripts and steal user data. APT37 is particularly active since the beginning of 2023 and information about this new malware used for attacks demonstrates a high technical level and its capacity to diversify its techniques to conduct attacks.