APT37 conducted spear phishing attacks targeting North Korea-related activists by distributing malicious LNK files via Dropbox disguised as academic conference invitations. The group leveraged legitimate cloud services like Dropbox, pCloud, and Yandex for command and control operations, demonstrating advanced fileless malware tactics. #Dropbox #pCloud #Yandex
Keypoints
- APT37 targeted North Korea-related activists with spear phishing emails containing links to Dropbox-hosted malicious LNK files disguised as academic event materials.
- The attacks utilized the Living off Trusted Sites (LoTS) technique, abusing legitimate cloud storage services for command and control (C2) communication.
- The malicious LNK files executed obfuscated PowerShell commands, leading to fileless malware deployment using the RoKRAT RAT family.
- The RoKRAT malware collects detailed system information, captures screenshots, and performs encrypted data exfiltration via cloud APIs.
- Multiple cloud services, including Dropbox, pCloud, and Yandex, were used as C2 servers, with attackers employing VPNs like NordVPN and AstrillVPN to hide their tracks.
- Emails used diverse sender addresses, including Yandex and Gmail accounts linked to prior APT37 campaigns, some impersonating expert individuals and organizations.
- The report highlights the necessity of enhanced detection capabilities, specifically EDR-based anomaly hunting, to effectively detect and mitigate such fileless and cloud-based attacks.
MITRE Techniques
- [T1566] Phishing – APT37 sent spear phishing emails with malicious LNK attachments to deliver the payload (‘APT37 used spear phishing emails to deliver malicious LNK files’).
- [T1071] Application Layer Protocol – Command and control traffic was conducted through legitimate cloud services like Dropbox and pCloud (‘Command and control communications were established using Dropbox and other cloud services’).
- [T1203] Exploitation for Client Execution – The LNK files triggered PowerShell commands on victim machines to execute malware (‘Malicious LNK files executed PowerShell commands on victim machines’).
- [T1059] Command and Scripting Interpreter – PowerShell was leveraged to run obfuscated scripts and load shellcode in memory (‘PowerShell was used to execute the final payload after the LNK file was run’).
- [T1027] Obfuscated Files or Information – Payloads were obfuscated using techniques such as splitting scripts and XOR encryption to evade detection (‘The malicious payload was obfuscated to evade detection’).
Indicators of Compromise
- [Email Addresses] Used by attackers for sending spear phishing emails and registering cloud accounts – [email protected], [email protected], [email protected], [email protected]
- [IP Addresses] Command and control servers associated with RoKRAT C2 communication – 89.147.101[.]65, 89.147.101[.]71, 37.120.210[.]2
- [File Hashes] Malicious LNK files and associated payloads involved in the attack – 81c08366ea7fc0f933f368b120104384, 723f80d1843315717bc56e9e58e89be5, and 10 more hashes
- [File Names] Malicious compressed and shortcut files distributed via phishing – ‘관련 포스터.zip’, ‘러시아 전장에 투입된 인민군 장병들에게.zip’, and internal LNK files with obfuscated names
Read more: https://www.genians.co.kr/blog/threat_intelligence/toybox-story
Views: 59