Genians Security Center analyzed a multi-stage social engineering campaign by APT37 that used Facebook for target reconnaissance and a tampered Wondershare PDFelement installer to execute embedded shellcode and stage follow-on payloads delivered as a JPG file from a legitimate website. The report emphasizes that the campaign abused Zoho WorkDrive for C2 and that behavior-based EDR and threat hunting are essential to detect process injection, tampered installers, and cloud-abused communications. #APT37 #WondersharePDFelement
Keypoints
- APT37 used Facebook accounts (locations set to Pyongyang and Pyongsong) to build trust with targets and moved conversations to Messenger and Telegram for file delivery.
- Targets were lured to install a malicious PDF viewer by claiming encrypted military documents required a dedicated viewer.
- The malicious payload was a carefully tampered Wondershare PDFelement installer that executed embedded shellcode via a modified entry point (code cave injection).
- The shellcode created a suspended dism.exe process, injected decrypted payloads into it, and established HTTP C2 communication to download a second-stage payload disguised as a .jpg file from japanroom[.]com.
- The in-memory second-stage payload used Zoho WorkDrive OAuth APIs for C2 and data exfiltration and supported screenshots, command execution, and file collection.
- The report recommends behavior-based EDR, threat hunting, and continuous monitoring to detect masqueraded installers, process injection, and legitimate-cloud-abused C2 channels.
MITRE Techniques
- [T1071.001 ] Application Layer Protocol – Used Telegram and legitimate cloud services for command-and-control communication; (‘The actor used Telegram for command and control communication.’ / ‘abuse of legitimate cloud services for C2 communication’).
- [T1203 ] Exploitation for Client Execution – Tampered Wondershare PDFelement installer tricked users into executing malicious code via a modified entry point and embedded shellcode; (‘the tampered installer tricked users into executing malicious code’).
- [T1070.001 ] Indicator Removal on Host – Malware attempted to evade detection by masquerading as legitimate software and avoiding obvious signatures (e.g., removed digital signature from tampered installer); (‘the tampered installer did not contain a digital signature’).
- [T1059.001 ] Command and Scripting Interpreter – Malware executed system commands through cmd.exe for follow-on command execution delivered by C2; (‘Supports remote command execution in the format of cmd.exe /c “%s”‘).
Indicators of Compromise
- [domain ] C2 and payload hosting – japanroom[.]com (used to host/download the JPG-disguised second-stage payload)
- [ip address ] Observed infrastructure / VPN usage – 38.32.68[.]195 (Astrill VPN address repeatedly observed), 222.122.49[.]15
- [file hash ] Malicious installers / samples – c681fe3f42e82e9240afe97c23971cbc, d44a22d2c969988a65c7d927e22364c8, and 2 more hashes
- [file name ] Delivered/malicious files – Wondershare_PDFelement_Installer(PDF_Security).exe (tampered installer), 1288247428101.jpg (JPG-disguised second-stage payload)
- [account ] Social accounts used for reconnaissance/delivery – Facebook accounts “richardmichael0828”, “johnsonsophia0414” (used to befriend targets and move conversations to Telegram)