An Inside Look of APT37's Weaponized Files
An Inside Look of APT37's Weaponized Files
Throughout February and March of 2023, APT37, a threat actor based in North Korea (also tracked as ScarCruft, Temp.Reaper, Reaper, RedEyes, and Ricochet Chollima) has been highly active in its cyberespionage efforts, targeting individuals across a range of South Korean organizations. Researchers from Zscaler ThreatLabz uncovered a GitHub repository owned by a member of APT37. This operational security (OpSec) mistake has led to the revelation of a large stockpile of information regarding the malicious files employed by APT37, dating as far back as October 2020. APT37 has weaponized various file formats, such as Windows help file (CHM), HTA, HWP (Hancom office), XLL (MS Excel Add-in), and MS Office files that rely on macros. This discovery has provided valuable insights into the tactics, techniques, and procedures (TTPs) used by this threat actor, shedding light on their modus operandi.
Zscaler researchers shared, "this wealth of information retrieved from the GitHub repository gave us a lot of insight into the types of themes used by the threat actor as social engineering lures and we were able to make an educated guess about the potential targets of the campaign." Based on the themes and filename names targets have included political entities, technology companies, academic universities, and financial service organizations. The weaponized files drop malicious payloads with recent chains using mshta.exe to execute an HTA file leading to a PowerShell backdoor known as Chinotto. The backdoor has the ability to execute commands sent by a server, as well as to exfiltrate sensitive data. Recent enhancements to Chinotto's capabilities now include capturing screenshots every five seconds and logging keystrokes. This gathered information is then saved in a ZIP archive and transmitted to a remote server.