RedEyes Group Wiretapping Individuals (APT37)
Contents
1. Overview
RedEyes (also known as APT37, ScarCruft, and Reaper) is a state-sponsored APT group that mainly carries out attacks against individuals such as North Korean defectors, human rights activists, and university professors. Their task is known to be monitoring the lives of specific individuals. In May 2023, AhnLab Security Emergency response Center (ASEC) discovered the RedEyes group distributing and using an Infostealer with wiretapping features that was previously unknown along with a backdoor developed using GoLang that exploits the Ably platform.
* ABLY [1] is a platform for real-time data transfer and messaging. It can also perform publish/subscribe messaging, push notifications, real-time query, and state synchronization.
The threat actor sent their commands through the GoLang backdoor that is using the Ably service. The API key value required for command communication was saved in a GitHub repository. This API key value is necessary for communicating with the threat actor’s channel, so anyone is …
RedEyes (also known as APT37, ScarCruft, and Reaper) is a state-sponsored APT group that mainly carries out attacks against individuals such as North Korean defectors, human rights activists, and university professors. Their task is known to be monitoring the lives of specific individuals. In May 2023, AhnLab Security Emergency response Center (ASEC) discovered the RedEyes group distributing and using an Infostealer with wiretapping features that was previously unknown along with a backdoor developed using GoLang that exploits the Ably platform.
* ABLY [1] is a platform for real-time data transfer and messaging. It can also perform publish/subscribe messaging, push notifications, real-time query, and state synchronization.
The threat actor sent their commands through the GoLang backdoor that is using the Ably service. The API key value required for command communication was saved in a GitHub repository. This API key value is necessary for communicating with the threat actor’s channel, so anyone is …
IoC
1352abf9de97a0faf8645547211c3be7
172.93.181.249
1c1136c12d0535f4b90e32aa36070682
3277e0232ed6715f2bae526686232e06
3c475d80f5f6272234da821cc418a6f7
59804449f5670b4b9b3b13efdb296abb
f44bf949abead4af0966436168610bcc
http://172.93.181.249/control/data/
http://172.93.181.249/control/html/1.html
http://172.93.181.249/file/
172.93.181.249
1c1136c12d0535f4b90e32aa36070682
3277e0232ed6715f2bae526686232e06
3c475d80f5f6272234da821cc418a6f7
59804449f5670b4b9b3b13efdb296abb
f44bf949abead4af0966436168610bcc
http://172.93.181.249/control/data/
http://172.93.181.249/control/html/1.html
http://172.93.181.249/file/