The North Korean state-sponsored hacking group APT37 (aka ScarCruft, Reaper), has been identified leveraging group chat platforms to distribute malicious LNK files.<\/p>\n
This latest tactic highlights the group\u2019s evolving methods to infiltrate systems and exfiltrate sensitive data.<\/p>\n
APT37\u2019s recent campaign involves sending malicious LNK files through group chats on popular messaging platforms.<\/p>\n
These files are often embedded in ZIP archives and disguised with familiar icons and filenames to deceive targets.<\/p>\n
For instance, attackers used filenames such as \u201cChanges in Chinese Government\u2019s North Korea Policy.zip\u201d to lure victims into opening the file.<\/p>\n
Analysts at Genians identified<\/a> that once executed, the LNK file triggers a PowerShell command that initiates a multi-stage infection chain.<\/p>\n The command decodes and executes embedded scripts, often leading to the deployment of the RokRAT malware.<\/p>\n RokRAT is a powerful remote access trojan<\/a> (RAT) capable of data exfiltration, screen capturing, and remote command execution.<\/p>\n The malicious LNK files contain embedded PowerShell commands that execute hidden scripts.<\/p>\n This script reads a malicious payload from a temporary file ( Such fileless execution techniques evade traditional antivirus detection<\/a>.<\/p>\n APT37 employs social engineering tactics by impersonating trusted individuals or organizations. For example, attackers have used themes like geopolitical reports or lecture materials as bait.<\/p>\n These files often appear legitimate but contain embedded OLE objects or scripts that activate upon interaction.<\/p>\n The primary payload in these attacks is often RokRAT or similar malware variants. Key features include:-<\/p>\n APT37<\/a> also leverages cloud services like pCloud and OneDrive for command-and-control (C2) operations, further complicating detection efforts.<\/p>\n To defend against such threats, deploy endpoint detection and response (EDR) solutions capable of detecting abnormal behaviors, such as fileless malware execution.<\/p>\n In addition, educate users about the risks of opening unsolicited files, even from trusted contacts, and disable the \u201cHide extensions for known file types\u201d setting to easily identify suspicious double extensions like \u201c.pdf.lnk.\u201d<\/p>\n APT37\u2019s use of group chats as a delivery mechanism underscores their adaptability and persistence in targeting South Korean entities and beyond. Organizations must remain vigilant and adopt proactive cybersecurity measures<\/a> to counter such advanced persistent threats.<\/p>\n Security researchers have identified several IoCs related to this campaign:-<\/p>\n The post APT37 Hackers Abusing Group Chats To Attack Via Malicious LNK File<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhS-Hfc78X1M0kfb6stjzG1By9lAASDVpsHWCN6xjOLYkL1HN9um_Tr5bIteGl6WU9poc347uNslRdPl_nxVLHe6ciyoD4aEn-mQ8c0Zg02aMaoe5DsKg3HGUk_Ui2nntxiqVQs6ODPWCq7rLqtT_BB1y04rIe0z10tl6UxIBWAYEZ6KtUNmp5dk1uS2J0\/s16000\/Attack%2520Timeline%2520Flowchart%2520%28Source%2520-%2520Genians%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiWHzuATJbL0jfBtY0zgivXt29-B5eafGLmfyS44Nak8D4b5J_m06XopxmSs6FUypuTe6L6bM8LZCjuMXhLKtOSWFsddBtBo8W7Qq_kVB-KASGCgVms4SVq9sx3My_HHLwftfeOKZ6fCL0rREosRHLH-ACPTkE5jv7Zlo49SkHq-5svb9AF-5ggMS2-Sxo\/s16000\/Find%2520this%2520story%2520interesting%21%2520Follow%2520us%2520on%2520Google%2520News.webp?ssl=1\")
<\/a><\/figure>\n<\/div>\nAttack Analysis<\/strong><\/h2>\n
bus.dat<\/code>), decodes it, and executes it in memory.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgP9IasUn-3iNBh0oFsMY4v1rRvJqb1RhkvLGm5oTqua6u0iLrFaEDddhkspy_tMVAy3GYtJH0ALMmatkZhE1N5oalcecEZuaIU95SQRBu8mXRgl_77eu20NtPTv3R-oeIcTamNX9MUcgL_ZvWyAC5Xpc1eQxLasM5OKl7oRNQPNN3_K78ZRYwI75AQjUc\/s16000\/Attack%2520vector%2520%28Source%2520-%2520Genians%29.webp?ssl=1\")
\n
Indicators of Compromise (IoCs)<\/strong><\/h2>\n
\n
1a70a013a56673f25738cf145928d0f5<\/code>, 1c3bb05a03834f56b0285788d988aae4<\/code>\n<\/li>\n172.86.115[.]125<\/code>, mailattachmentimageurlxyz[.]site<\/code>\n<\/li>\n<\/ul>\nAre you from SOC\/DFIR Teams? \u2013\u00a0Analyse Malware Files & Links with ANY.RUN Sandox\u00a0->\u00a0Start Now for Free<\/a>.<\/strong><\/code><\/strong><\/code><\/strong><\/p>\n