North Korean APT Exploits Zero-Day Vulnerabilities to Breach Air-Gapped Systems

Post Views: 10

APT37 Targets Air-Gapped Systems with New Malicious Tools

A recent campaign by the North Korea-linked threat actor APT37 has been observed targeting air-gapped systems using five new malicious tools.

The Ruby Jumper Campaign

The group, also known as ScarCruft, Ruby Sleet, and Velvet Chollima, has been active since 2012 and has primarily focused on data theft and surveillance, mainly targeting entities in South Korea.

As part of the campaign, dubbed Ruby Jumper, APT37 used LNK files to execute a PowerShell script and deploy multiple payloads, including a decoy document in Arabic about the Palestine-Israel conflict.

The Malware Payloads

The payloads work together to execute a payload in memory, which uses the Zoho WorkDrive cloud storage for command-and-control (C&C) and attempts to fetch a file containing shellcode.

The shellcode, executed in memory, acts as a launcher, fetching and decrypting second-stage shellcode that loads an embedded Windows executable.

This executable, dubbed SnakeDropper, creates a working directory and installs the Ruby 3.3.0 runtime environment, disguised as a USB speed monitoring utility.

The malware backdoors the Ruby interpreter and creates a scheduled task to execute the interpreter every five minutes, establishing persistence.

ThumbsBD and VirusTask

When the Ruby interpreter starts, SnakeDropper drops ThumbsBD, a backdoor that uses removable drives to exfiltrate data from air-gapped systems.

The malware collects system information and creates a hidden directory in the root folder of detected USB drives, which is used to stage backdoor commands and data for exfiltration.

ThumbsBD also complements VirusTask, a removable media propagation tool designed to infect air-gapped systems.

VirusTask exclusively weaponizes USB drives for initial access, copying payload executables to a folder in the drive’s root directory and enumerating files on the drive.

It replaces files with LNK files that lead to the execution of shellcode on air-gapped systems when the user attempts to open those files.

FootWine

ThumbsBD also deploys FootWine, an encrypted Android package file containing a shellcode launcher with surveillance capabilities, including keystroke logging and audio and video capturing.

FootWine supports various surveillance-related commands, such as file manipulation, shell management, and registry and process manipulation.

To counter this threat, the security community should focus on monitoring endpoint activity and physical access points.

APT37’s use of removable media to bypass network isolation and infect air-gapped systems highlights the importance of robust security measures to prevent such attacks.