Summary: North Korean hackers known as APT37 or ScarCruft are utilizing advanced phishing techniques to deploy the RokRat remote access Trojan (RAT) by delivering malicious ZIP files containing disguised LNK files. These attacks exploit real information to enhance credibility and execute a multi-stage infection process that gathers system details and exfiltrates data using legitimate cloud services. The tactics employed reflect APT37โs ongoing evolution in targeting Windows and Android platforms.
Affected: Organizations susceptible to phishing attacks and malware infections.
Keypoints :
- APT37 uses phishing emails with ZIP attachments containing malicious LNK files disguised as documents related to North Korea.
- The infection involves a multi-stage process with PowerShell scripts, leading to the deployment of RokRat RAT.
- RokRat exfiltrates data to cloud services, employs anti-analysis techniques, and utilizes encrypted communications to evade detection.
Source: https://gbhackers.com/north-korean-hackers-use-zip-files/