North Korean state-backed group APT37 is running a campaign called Ruby Jumper that uses removable drives to bridge air-gapped systems for data exfiltration and covert surveillance. Researchers at Zscaler identified a five-tool toolkit — RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE — that leverages LNK/PowerShell chains, Zoho WorkDrive C2, and a hidden Ruby runtime to persist and spread. #APT37 #RubyJumper
Keypoints
- Ruby Jumper begins with malicious LNK files that deploy PowerShell scripts and open a decoy document.
- RESTLEAF uses Zoho WorkDrive to fetch encrypted shellcode and deliver the SNAKEDROPPER loader.
- SNAKEDROPPER installs a disguised Ruby 3.3.0 runtime and corrupts RubyGems to auto-load malicious code via a scheduled task.
- THUMBSBD creates hidden directories on USB drives to stage files and convert removable media into a bidirectional covert C2 relay.
- VIRUSTASK weaponizes removable drives to spread the infection while FOOTWINE provides extensive spyware and remote control capabilities.