Recently, North Korean hacker group APT37 (aka ScarCruft) has applied an alternative method to target victims in South Korea via self-decoding VBA Office files for the first time. According to Malwarebytes, the group has switched to this technique to bypass several static detection mechanisms efficiently and hide the main intent of a malicious document.

Spilling the details

Earlier the group had relied on Hangul Office documents (Hwp files) as this is a widely used software in South Korea. However, this time they are using alternative attack methods.
  • Started in early 2020, the spear-phishing campaigns used malicious Microsoft Office documents embedded with a self decoding macro.
  • The attackers first need to bypass the VB object model by modifying registry values to circumvent Microsoft security.
  • After compromising Microsoft Office, an unpacker stub then embeds a variant of a RAT into the Notepad software.
  • Upon infection, the payload creates a module utilizing shellcode to compromise Notepad. Then it calls an encrypted file hosted on Google Drive that contains RokRat.
  • Once RokRat malware is deployed, it harvests data from the target system. This data is sent to attacker-controlled cloud-based services accounts on Pcloud, DropBox, Box, and Yandex.

Recent attacks

  • APT37 was found targeting stock investors in supply chain attacks by altering a private stock investment messenger service to ship malicious code.
  • In November, the group was observed using malicious HWP documents disguised as media documents predicting the U.S. presidential election to conduct APT attacks.


APT37 has been regularly implementing new methods to actively target its victims and adding new static detection mechanisms to stay under the radar. In a combination with RokRat malware, the group has got more capabilities and stealthiness, which could prove fatal for enterprises in the coming time.

Cyware Publisher