APT37, the North Korean state-sponsored hacker group, has been found targeting journalists specializing in the Democratic People's Republic of Korea with a novel malware. Dubbed GoldBackdoor, the malware spreads via phishing attacks.

About the recent attack 

NK News first discovered the attack and contacted malware experts at Stairwell for further assistance in March. Stairwell found GoldBackdoor and later linked it to Bluelight.
  • The campaign uses a two-stage infection process that gives attackers the freedom to deploy a malicious payload while making it challenging for analysts to sample it.
  • The phishing emails impersonate the former director of South Korea’s National Intelligence Service (NIS), whose account was previously compromised by APT37.
  • The emails sent to the journalists included a link to download ZIP archives with LNK files, named 'Kang Min-chol edits'. Kang Min-chol is the minister of mining industries in North Korea.

More insights

  • The LNK file contains a document icon and padding to artificially increase its size to 282.7MB, making it harder to easily upload to VirusTotal and other detection tools.
  • The attackers use a PowerShell script that launches and opens a decoy document as a distraction; there’s another script decoded in the hindsight.
  • The embedded script downloads and executes a shellcode payload stored on Microsoft OneDrive, Fantasy.

GoldBackdoor 

GoldBackdoor is executed as a PE file and can receive basic commands remotely and exfiltrate data. It uses a set of API keys to authenticate to Azure and get commands for execution.
  • The commands are related to basic RCE, file operations, keylogging, and uninstalling itself.
  • The malware abuses legitimate cloud services, including Google Drive and OneDrive, to exfiltrate files.
  • The targeted files are documents and media, such as PDF, MP3, TXT, DOCX, M4A, JPC, PPT, BIN, 3GP, MSG, and XLS.

Conclusion

Even previously, APT37 has targeted journalists. Targets must ensure they don’t open any attachments from unconfirmed sources and take quick response measures to protect themselves.
Cyware Publisher

Publisher

Cyware