RedEyes

RedEyes (ScarCruft)’s CHM Malware Using the Topic of Fukushima Wastewater Release

The AhnLab Security Emergency response Center (ASEC) analysis team has recently discovered that the CHM malware, which is assumed to have been created by the RedEyes threat group, is being distributed again. The CHM malware in distribution operates in a similar way to the “CHM Malware Disguised as Security Email from a Korean Financial Company”[1] covered in March of this year and also uses the same commands used in the “2.3. Persistence”[2] stage in the attack process of the RedEyes…

Distribution of Backdoor via Malicious LNK: RedEyes (ScarCruft)

AhnLab Security Emergency response Center (ASEC) has confirmed that malware [1], which was previously distributed in CHM format, is now being distributed in LNK format. This malware executes additional scripts located at a specific URL through the mshta process. It then receives commands from the threat actor’s server to carry out additional malicious behaviors. The threat actor has been distributing the confirmed LNK file on a regular website by uploading it alongside malware within a compressed file. The malicious LNK…

RedEyes Group Wiretapping Individuals (APT37)

1. Overview RedEyes (also known as APT37, ScarCruft, and Reaper) is a state-sponsored APT group that mainly carries out attacks against individuals such as North Korean defectors, human rights activists, and university professors. Their task is known to be monitoring the lives of specific individuals. In May 2023, AhnLab Security Emergency response Center (ASEC) discovered the RedEyes group distributing and using an Infostealer with wiretapping features that was previously unknown along with a backdoor developed using GoLang that exploits the…

RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft)

AhnLab Security Emergency response Center (ASEC) confirmed that the RedEyes threat group (also known as APT37, ScarCruft), which distributed CHM Malware Disguised as Security Email from a Korean Financial Company last month, has also recently distributed the RokRAT malware through LNK files. RokRAT is malware that is capable of collecting user credentials and downloading additional malware. The malware was once distributed through HWP and Word files. The LNK files that were discovered this time contain PowerShell commands that can perform malicious…

Malware Distributed Disguised as a Password File

AhnLab Security Emergency response Center (ASEC) discovered a malware strain disguised as a password file and being distributed alongside a normal file within a compressed file last month. It is difficult for users to notice that this file is malicious because this type of malware is distributed together with a normal file. The recently discovered malware was in CHM and LNK file formats. In the case of the CHM file, it shares the same type as the malware covered in…