Digital Shadows: APT37 is back with a new cyber espionage spear phishing campaign. It exploits cloud-related platforms to distribute malware, evade detection, and minimize the group’s footprint
APT37, after a period of inactivity, has launched a new spear phishing cyber espionage campaign. It has been announced by Digital Shadows cyber security experts. The lure are North Korean refugees and the campaign exploited cloud-related platforms. This to distribute malware, evade detection, and minimize the group’s footprint, a popular tactic of the Pyongyang’s APT. Furthermore, because the spear phishing emails contained hyperlinks that led to malicious files, the emails were able to bypass many security tools, as there were no attachments to be analyzed and deemed malicious. This campaign marked APT37’s first appearance since Microsoft seized 50 of the group’s web domains in December 2019. Despite that recent setback, it clearly remains persistent and committed to gathering foreign intelligence.
ESRC cyber security experts: How the North Korea’s chain of infection works
According to the ESTsecurity Security Response Center (ESRC), the campaign has been dubbed“Operation Spy Cloud” and is the work of Geumseong121, probably a sub-group of APT37. Once the victims click through the links and malicious documents, which range from .doc, .xls, to .hwp — a word processor format used by the Korean government — the North Korean attackers also distribute malicious Visual Basic for Applications (VBA) macro files to victims. The malware then connects to the attackers’ command and control server, Google Drive, and attempts to share system information to PickCloud. Once a user gets to this step, attackers may also try to install additional backdoors, according to the researchers. The campaign includes both Windows- and Android-based components.