◈ Executive Summary
- Impersonation of North Korean-related questionnaires, manuscripts, security columns, articles, and monthly magazines
- Malicious files of LNK type hidden inside ZIP compressed files
- Exploitation of cloud storage such as DropBox and pCloud as attack bases
- Continued RoKRAT fileless attacks by APT37 group
- Early detection of LNK and PowerShell stages through Genian EDR
1. Overview
○ Genians Security Center (GSC) has identified multiple APT37 subversive threat campaigns targeting South Korea from February 12th to the end of the month, following the Lunar New Year holiday in 2024. APT37 is one of the major nation-state threat groups targeting Korea, along with Lazarus, Kimsuky, Konni, etc. APT37 primarily conducts spear-phishing campaigns targeting North Korean human rights organizations, North Korean journalists, and defectors.
○ Through in-depth analysis of actual cases, GSC has confirmed that PowerShell commands embedded in LNK files have been consistently used in initial attacks. From the perspective of threat actors, this would have proven to be somewhat effective in evading anti-virus detection. Additionally, they execute the encrypted RoKRAT malware in a fileless manner to collect terminal information and secretly exfiltrate it to overseas cloud servers.
Full Report: https://www.genians.co.kr/blog/threat_intelligence/rokrat