Digital Shadows: APT37 is back with a new cyber espionage spear phishing campaign. It exploits cloud-related platforms to distribute malware, evade detection, and minimize the groupâs footprint
APT37, after a period of inactivity, has launched a new spear phishing cyber espionage campaign. It has been announced by Digital Shadows cyber security experts. The lure are North Korean refugees and the campaign exploited cloud-related platforms. This to distribute malware, evade detection, and minimize the groupâs footprint, a popular tactic of the Pyongyangâs APT. Furthermore, because the spear phishing emails contained hyperlinks that led to malicious files, the emails were able to bypass many security tools, as there were no attachments to be analyzed and deemed malicious. This campaign marked APT37âs first appearance since Microsoft seized 50 of the groupâs web domains in December 2019. Despite that recent setback, it clearly remains persistent and committed to gathering foreign intelligence.
ESRC cyber security experts: How the North Koreaâs chain of infection works
According to the ESTsecurity Security Response Center (ESRC), the campaign has been dubbedâOperation Spy Cloudâ and is the work of Geumseong121, probably a sub-group of APT37. Once the victims click through the links and malicious documents, which range from .doc, .xls, to .hwp âÂ a word processor formatÂ usedÂ by the Korean government âÂ the North Korean attackers also distribute malicious Visual Basic for Applications (VBA) macro files to victims. The malware then connects to the attackersâ command and control server, Google Drive, and attempts to share system information to PickCloud. Once a user gets to this step, attackers may also try to install additional backdoors, according to the researchers. The campaign includes both Windows- and Android-based components.