North Korean APT37 Targets Journalists with GoldBackdoor

About the recent attack 

• The campaign uses a two-stage infection process that gives attackers the freedom to deploy a malicious payload while making it challenging for analysts to sample it.
• The phishing emails impersonate the former director of South Korea’s National Intelligence Service (NIS), whose account was previously compromised by APT37.
• The emails sent to the journalists included a link to download ZIP archives with LNK files, named 'Kang Min-chol edits'. Kang Min-chol is the minister of mining industries in North Korea.

More insights

• The LNK file contains a document icon and padding to artificially increase its size to 282.7MB, making it harder to easily upload to VirusTotal and other detection tools.
• The attackers use a PowerShell script that launches and opens a decoy document as a distraction; there’s another script decoded in the hindsight.
• The embedded script downloads and executes a shellcode payload stored on Microsoft OneDrive, Fantasy.

GoldBackdoor 

• The commands are related to basic RCE, file operations, keylogging, and uninstalling itself.
• The malware abuses legitimate cloud services, including Google Drive and OneDrive, to exfiltrate files.
• The targeted files are documents and media, such as PDF, MP3, TXT, DOCX, M4A, JPC, PPT, BIN, 3GP, MSG, and XLS.

Conclusion