The North Korean state-sponsored hacking group APT37 (aka ScarCruft, Reaper), has been identified leveraging group chat platforms to distribute malicious LNK files.
This latest tactic highlights the group’s evolving methods to infiltrate systems and exfiltrate sensitive data.
APT37’s recent campaign involves sending malicious LNK files through group chats on popular messaging platforms.
These files are often embedded in ZIP archives and disguised with familiar icons and filenames to deceive targets.
For instance, attackers used filenames such as “Changes in Chinese Government’s North Korea Policy.zip” to lure victims into opening the file.
Analysts at Genians identified that once executed, the LNK file triggers a PowerShell command that initiates a multi-stage infection chain.
.webp)
The command decodes and executes embedded scripts, often leading to the deployment of the RokRAT malware.
RokRAT is a powerful remote access trojan (RAT) capable of data exfiltration, screen capturing, and remote command execution.
Attack Analysis
The malicious LNK files contain embedded PowerShell commands that execute hidden scripts.
This script reads a malicious payload from a temporary file (bus.dat), decodes it, and executes it in memory.
Such fileless execution techniques evade traditional antivirus detection.
.webp)
APT37 employs social engineering tactics by impersonating trusted individuals or organizations. For example, attackers have used themes like geopolitical reports or lecture materials as bait.
These files often appear legitimate but contain embedded OLE objects or scripts that activate upon interaction.
The primary payload in these attacks is often RokRAT or similar malware variants. Key features include:-
- Data Exfiltration: Stealing credentials, screenshots, and sensitive files.
- Remote Control: Executing commands on infected systems.
- Persistence: Dropping additional payloads into startup folders for execution upon reboot.
APT37 also leverages cloud services like pCloud and OneDrive for command-and-control (C2) operations, further complicating detection efforts.
To defend against such threats, deploy endpoint detection and response (EDR) solutions capable of detecting abnormal behaviors, such as fileless malware execution.
In addition, educate users about the risks of opening unsolicited files, even from trusted contacts, and disable the “Hide extensions for known file types” setting to easily identify suspicious double extensions like “.pdf.lnk.”
APT37’s use of group chats as a delivery mechanism underscores their adaptability and persistence in targeting South Korean entities and beyond. Organizations must remain vigilant and adopt proactive cybersecurity measures to counter such advanced persistent threats.
Indicators of Compromise (IoCs)
Security researchers have identified several IoCs related to this campaign:-
- MD5 Hashes:
1a70a013a56673f25738cf145928d0f5,1c3bb05a03834f56b0285788d988aae4 - C2 Servers:
172.86.115[.]125,mailattachmentimageurlxyz[.]site
Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Start Now for Free.