CyberWire Daily - Diving deep into North Korea's APT37 tool kit. [Research Saturday]
Episode Date: March 6, 2021Guest Hossein Jazi of Malwarebytes joins us to take a deep dive into North Korea's APT37 (aka ScarCruft, Reaper and Group123) toolkit. On December 7 2020 the Malwarebytes Labs threat team identified a... malicious document uploaded to Virus Total which was purporting to be a meeting request likely used to target the government of South Korea. The meeting date mentioned in the document was 23 Jan 2020, which aligns with the document compilation time of 27 Jan 2020, indicating that this attack took place almost a year ago. The file contains an embedded macro that uses a VBA self decoding technique to decode itself within the memory spaces of Microsoft Office without writing to the disk. It then embeds a variant of the RokRat into Notepad. Based on the injected payload, the Malwarebytes team believes that this sample is associated with APT37. This North Korean group is also known as ScarCruft, Reaper and Group123 and has been active since at least 2012, primarily targeting victims in South Korea. The research can be found here: Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves
in a rapidly evolving cyberspace.
Thanks for joining us.
We do the triage, looking at the sample,
and if it does something, analysis, we take the sample for further investigation.
This is one of the samples that caught our interest.
That's Hossein Jazzi. He's a senior threat intelligence analyst at Malwarebytes.
The research we're discussing today is titled Retro-Hunting APT-37, North North Korean APT used VBA self-decode technique
to inject rock rat. And now a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
And I took the sample and I started to do a further analysis and then figure out, okay,
this is something interesting related to an APT.
And that was the time that I started to look for more analysis and preparing a blog on that.
And is your sense that this is a particularly targeted campaign that they're
going after specific individuals here? Yeah, we believe this attack was the target of this attack
was the government of South Korea. And it's really aligned with the interest of this
state sponsor, APT, that is targeting government of South Korea.
Well, let's go through it together.
I mean, there are a lot of steps here and some really interesting technical things that
you all have discovered here.
Why don't we walk it through step by step?
I mean, if I'm the target of these folks, how are they typically going to start their interaction with me?
Okay.
So I would like to a little bit speak about this APT and then go through this ad hack.
So APT 37 is one of the most sophisticated North Korean turret actors that has been active since at least 2012.
North Korean turret actors that has been active since at least 2012. This group also known as S.C.A.R.C.R.O.F.T., Group 123, Reaper, or Jun-sung 121. And this group is mainly targeted South
Korea, like the attack we analyzed, the target was South Korea. but this group also has targeted several other countries,
such as Vietnam, Japan, China, some countries in the Middle East.
So the main initial infection vector used by this actor is mainly SPR phishing emails.
But they also use some other techniques, such as a strategic web compromise, in which they compromise their website to host their malware or host a malicious document.
So the one we analyzed, we believe it was started with a spear phishing attack.
So they sent an email to a victim, and they might attach the malicious document directly to the email but
this actor has used the links to host the malicious document in google drive in the past
so since we didn't have access to the email phishing email i cannot say which one but
one of them is possible possibly they use one of these techniques to send the email.
So the attack, as I said, started by sending a phishing email, which has a document attachment or has a link that redirects the victim to download the document.
download the document. And usually this group mainly use Hangul document, which is a popular word processor in South Korea. But this one was interesting one and they use Microsoft Office to
start their attack. This is not the first time that they use this Microsoft Office, but this is
not the common one. Yeah, well yeah well I mean let's continue down that
path so I get hit with this spear phishing email and and I take the bait
and I click on the link what happens next so yeah so if we assume that if the
phishing email contains a malicious document then you the victim clicks the
document and open the document and document
ask you to enable content. So when you enable the content, the macro is executed in the
background and perform some malicious activity, which in this case, it injected a payload
into notepad. But what was interesting is the technique that's used in malicious macro.
So the technique we call that VBA self-decode.
Yeah, so let's go through that together.
As you mentioned, this self-decoding technique
is fascinating because you've got VBA macros
inside of VBA macros.
Take us through this step by step.
Yeah, sure.
So VBA self-decoding is a technique
that in which a malicious macro
is embedded within another macro
and then is executed dynamically
without being written into the disk.
So in other words,
we can consider this one as
an implementation of Packer technology within Microsoft Office.
So here there is an unpacker stop,
which is a macro that unpack or decodes
the malicious macro and writes it
into memory space of the Microsoft Office, and then jumps to a start of the new macro and writes it into memory space of the Microsoft Office and then jumps to a start of
the new macro and execute it. And so by doing this, it helps obfuscate what's going on here.
But as you mentioned, it also keeps it from being written to disk, which I suppose would be a way
that anti-malware would be able to pick up on it. Yeah, exactly. Because what you see, you see the unpacker stop
or a macro that unpacked the malicious macro.
So you won't see the real macro that is being executed
and you won't see what's going to happen when the macro executed.
You just see the macro that doing some malicious activity,
but you never know what
was going to happen. So this macro within a macro gets executed and then what happens next?
Okay. So first of all, to execute the macro dynamically within the macro,
VB object model needs to be bypassed because
Microsoft Office by default
disable the dynamic execution of macro.
So before the decoding the macro,
this malicious document bypass
the VBObject model by modifying its registry key.
After that, it does the process of decoding.
The process of decoding,
they have a custom decoder that decode the macro.
When they decode the macro,
they create a module within the space of
Microsoft Office and jump to a start of the new macro.
This is where main malicious behavior happening.
Here, there is a shell code that will be injected to Notepad.
They create a process which is
the target process and it's Notepad here,
and then create a memory space within the Notepad,
and then eject the shell code into that memory by calling write
process memory and then execute that shell code within the notepad process by calling resume
turret. So what this shell code does is going to bit.ly that redirect the machine to a Google Drive to download the final payload, which is
a variant of RockRack. So this is the clever technique used by this attacker that used the
URL shortener to hide the URL that they are contacting and then hosted their payload into Google Drive.
So it looks legitimate and nothing malicious.
And the payload hosted in Google Drive is encrypted.
So it won't flag by Google to be malicious.
So then they take the shellcode, take the payload, decrypt that payload, and execute it.
And so what is the functionality there of RockRat?
So RockRat is a cloud-based RAT that first, I think, was used by this APG around 2017.
But the main functionality of this RAT is to steal information from the victim.
So it has the capability to take screenshots of the victim.
It has capability to record audio.
It has capability to steal credentials from the browser and then send those collected info to cloud services such as pCloud, Yandex,
Box, Dropbox.
So this is another clever technique used by RockRat to communicate, to perform CNC communication
through cloud services.
CNC communication through cloud services.
So still they are trying to hide or pretend that their command and control communication is delayed.
Now, the system itself, I mean, as it's going through this process,
it's checking to see if it's running, for example, in a sandbox or something like that.
I mean, it's trying to hide itself.
Yes.
So, you know, most of the APT is trying to detect anti-analysis or check if they are running in the sandbox environment.
So this is the same.
So they are doing some basic checks,
such as looking if they are running on the debugger by using the API,
like is debugger present or get account,
or also check for VMware specific files or looking for different DLLs.
And if they found those artifacts, they won't show the behavior.
they won't show the behavior.
So how successful is this system,
going through the various steps here, how successful is it at evading detection?
I think this would be really successful for several reasons.
First of all, they started attack by VBI self-decoding technique.
they started attack by VBI self-decoding technique. So assume that they carefully crafted the document
to convince the victim to enable the content,
which is the main step.
Then they can perform behavior in a coerced structure.
So you cannot, it would be really hard for Defender
to figure out if this is a legit or malicious behavior
because it spawns Notepad
and then inject payload within Notepad.
And the C2 communications are going to cloud services, which looks legit.
And also the payload downloaded from the Google Drive.
So all looks legit and pretends to be legitimate communication.
So I think it would be a successful attack.
But what are your recommendations then for folks to best protect themselves?
So this technique can easily bypass static and signature-based detection. So the recommendation would be monitor dynamic behavior of Microsoft Office.
So in that way, you will figure out, oh, there is something happening in this machine
because Microsoft Office spawned Notepad, which is not something normal.
And then Notepad is doing some communication,
is still sending some files from my machine to a cloud service.
communication is still sending some files from my machine to a cloud service. I know I'm using, for example, bugs, but why are some files transferring to the box from my machine to
a box that I don't know? So I think dynamic analysis would help figure out or defeat this Our thanks to Hossein Jazzy from Malwarebytes for joining us.
The research is titled Retro Hunting APT 37.
North Korean APT used VBA self-decode technique to inject rock rat.
We'll have a link in the show notes.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios
of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.