APT37 (aka ScarCruft/Ruby Sleet/Velvet Chollima) deployed five new tools in the Ruby Jumper campaign to compromise air-gapped systems using LNK-triggered PowerShell and a decoy Arabic document. The attack chain uses RestLeaf with Zoho WorkDrive for C2 to fetch shellcode that loads SnakeDropper, which installs a backdoored Ruby runtime and drops ThumbsBD and VirusTask for USB-based exfiltration and propagation, while FootWine provides Android surveillance capabilities. #APT37 #RubyJumper #RestLeaf #SnakeDropper #ThumbsBD #VirusTask #FootWine #ZohoWorkDrive
Keypoints
- APT37 used LNK files and PowerShell to deliver payloads and a decoy Arabic document about the PalestineβIsrael conflict.
- RestLeaf leverages Zoho WorkDrive for command-and-control and retrieves shellcode executed in memory.
- A staged shellcode loader launches SnakeDropper, which installs a backdoored Ruby 3.3.0 runtime to maintain persistence.
- SnakeDropper drops ThumbsBD for USB-based data exfiltration and VirusTask to propagate via malicious LNKs on removable drives.
- ThumbsBD also deployed FootWine, an encrypted Android APK that enables keystroke logging, audio/video capture, and other surveillance functions.
Read More: https://www.securityweek.com/north-korean-apt-targets-air-gapped-systems-in-recent-campaign/