A North Korea–linked group, APT37, has deployed a new “Ruby Jumper” campaign that uses malicious LNK files and a suite of implants to infect systems and bridge air-gapped networks via removable USB media. The operation leverages newly documented tools — including Restleaf, SnakeDropper, ThumbSBD, VirusTask and FootWine — with Restleaf using Zoho WorkDrive for C2 and ThumbSBD enabling USB propagation for delayed exfiltration. #APT37 #Restleaf
Keypoints
- APT37’s “Ruby Jumper” campaign was discovered by Zscaler ThreatLabz and uses malicious LNK files that invoke PowerShell to extract embedded payloads.
- The campaign employed six tools, five of which were previously undocumented, expanding APT37’s toolkit and tactics.
- Restleaf is a new implant that profiles hosts and uses Zoho WorkDrive for command-and-control to retrieve follow-on components.
- ThumbSBD propagates infections via USB drives to reach air-gapped systems, while VirusTask and FootWine handle backdoor access and data collection.
- SnakeDropper deploys modules in memory to minimize disk artefacts and BlueLight is used for command execution and staging exfiltration via removable media.
Read More: https://www.infosecurity-magazine.com/news/north-korea-apt37-expands-toolkit/