North Korea Hiding Malware Within JPEG Files to Attack Windows Systems Bypassing Detections

Security researchers at Genians Security Center have uncovered a sophisticated new variant of the RoKRAT malware, attributed to the North Korean-linked APT37 threat group, which employs steganography to conceal malicious payloads within seemingly innocuous JPEG image files.

This technique allows the malware to evade traditional antivirus detections by embedding encrypted shellcode in image data, which is then decoded and executed in memory.

Distributed primarily through malicious shortcut (.LNK) files hidden in ZIP archives, such as one masquerading as “National Intelligence and Counterintelligence Manuscript.zip,” the attack chain begins with oversized LNK files often exceeding 50MB due to embedded decoy documents and encoded components like shellcode (ttf01.dat), PowerShell scripts (ttf02.dat), and batch files (ttf03.bat).

APT37’s Evolving RoKRAT Variant

Upon execution, the batch script invokes PowerShell to perform an XOR decryption using a single-byte key (0x33), revealing a 32-bit shellcode block that injects further payloads into legitimate Windows processes.

This two-stage encrypted shellcode injection method hinders reverse engineering, as the initial XOR operation at offset 0x590 uses a key like 0xAE, transforming the data into an executable that references PDB paths such as “D:WorkUtilInjectShellcodeReleaseInjectShellcode.pdb.”

The malware then allocates virtual memory in processes like mspaint.exe or notepad.exe from the SysWOW64 directory, writing decrypted data blocks (e.g., 892,928 bytes) and applying additional XOR routines with keys like 0xD6 to unveil the core RoKRAT module.

This fileless approach ensures minimal disk footprints, complicating forensic analysis, while the malware’s timestamp (e.g., 2025-04-21 00:39:59 UTC) and unique strings like “–wwjaughalvncjwiajs–” confirm its ties to APT37’s arsenal.

Cloud-Based C2 Channels

In a notable evolution, APT37 integrates steganography by hiding RoKRAT loaders in JPEG files, such as “Father.jpg” downloaded from Dropbox, where malicious DLLs like mpr.dll or credui.dll side-load via legitimate executables (e.g., ShellRunas.exe or AccessEnum.exe) embedded in HWP documents.

The JPEG resource, named “MYIMAGEFILE,” starts with a valid Exif header but conceals shellcode at offset 0x4201 after an XOR with key 0xAA, followed by a secondary XOR using 0x29 to extract the RoKRAT payload. This enables seamless in-memory execution, bypassing endpoint protections.

Functionally, RoKRAT collects system information, documents, and screenshots, exfiltrating them via abused cloud APIs like api.pcloud.com, cloud-api.yandex.net, and api.dropboxapi.com, using revoked access tokens such as “hFkFeKn8jJIAAAAAAAAAAZr14zutJmQzoOx-g5k9SV9vy7phb9QiNCIEO7SAp1Ch.”

C2 accounts, linked to emails like “[email protected]” and “[email protected],” reveal patterns of Russian email services and potential LinkedIn ties, echoing prior APT37 operations.

Variants from July 2025, like one disguised as “Academy Operation for Successful Resettlement of North Korean Defectors in South Korea.lnk,” shift to notepad.exe injection and reference PDB paths under “D:WorkWeapon,” indicating ongoing tool refinement.

According to the report, To counter these threats, efficient Endpoint Detection and Response (EDR) solutions are critical, offering real-time monitoring of abnormal behaviors such as process injections, script executions, and outbound cloud connections.

EDR visualization aids in mapping attack flows, from LNK execution to C2 exfiltration, enabling rapid isolation and threat classification under MITRE ATT&CK frameworks.

As RoKRAT persists in evading signature-based defenses through fileless tactics and steganography, organizations must prioritize EDR for proactive hunting, emphasizing the rising sophistication of state-sponsored North Korean cyber operations targeting Windows ecosystems in South Korea and beyond.

Indicators of Compromise (IoC)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!