State-sponsored hacking group APT37 (ScarCruft) is deploying advanced cyber-espionage tactics to infiltrate systems using malicious ZIP files containing LNK shortcuts. These files are typically disguised as documents related to North Korean affairs or trade agreements and are spread through phishing emails.
Once opened, the attack unfolds in multiple stages, leveraging PowerShell scripts and batch files to install the RokRat remote access Trojan (RAT) as the final payload.
The infection starts with carefully crafted phishing emails, often using real information from legitimate websites to enhance credibility. These emails contain malicious ZIP attachments housing LNK files. When executed, the LNK file verifies its directory path, relocating itself to %temp% if necessary.
It then extracts multiple components, including:
-A decoy HWPX document
-A batch script (shark.bat)
Additional payloads like caption.dat and elephant.dat
The shark.bat script executes PowerShell commands discreetly, launching the elephant.dat script, which decrypts caption.dat using an XOR key. The decrypted content is then executed in memory, ultimately deploying RokRat RAT.
Once active, RokRat collects detailed system information, such as:
- Operating system version
- Computer name
- Logged-in user details
- Running processes
- Screenshots of the infected system
The stolen data is then exfiltrated to command-and-control (C2) servers via legitimate cloud services like pCloud, Yandex, and Dropbox, utilizing their APIs to send, download, and delete files while embedding OAuth tokens for stealthy communication.
RokRat also allows attackers to execute remote commands, conduct system reconnaissance, and terminate processes. To avoid detection, it implements anti-analysis techniques, including:
- Detecting virtual environments via VMware Tools
- Sandbox detection by creating and deleting temporary files
- Debugger detection using IsDebuggerPresent
The malware ensures secure communication by encrypting data using XOR and RSA encryption, while C2 commands are received in AES-CBC encrypted form, decrypted locally, and executed on the compromised system. These commands facilitate data collection, file deletion, and malware termination.
By leveraging legitimate cloud services, RokRat seamlessly blends into normal network traffic, making detection more challenging.
“This sophisticated approach highlights the evolving tactics of APT37, as they continue to adapt and expand their operations beyond traditional targets, now focusing on both Windows and Android platforms through phishing campaigns.”
As APT37 refines its cyberattack strategies, organizations must remain vigilant against such persistent threats and enhance their cybersecurity defenses.