A clandestine marketing campaign during which menace actors are weaponizing a legitimate-looking PDF doc, titled “국가정보연구회 소식지 (52호)” (Nationwide Intelligence Analysis Society Publication – Concern 52), alongside a malicious Home windows shortcut (LNK) file named 국가정보연구회 소식지(52호).pdf.LNK.
The attackers distribute each information collectively—both throughout the similar archive or as seemingly associated attachments.
When victims open the LNK file, it silently executes a PowerShell payload that downloads and runs further malware, permitting the attackers to realize foothold on the goal system.
The principal targets seem like people related to the Nationwide Intelligence Analysis Affiliation, together with lecturers, former authorities officers, and researchers.
The adversaries purpose to steal delicate data, set up persistence, and conduct long-term espionage.
Proof factors to the involvement of APT-37—often known as InkySquid, ScarCruft, Reaper, Group123, TEMP.Reaper, or Ricochet Chollima—a North Korean state-sponsored cyber espionage group lively since no less than 2012.
Though APT-37 usually focuses on South Korea, its operations have additionally impacted Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and several other Center Japanese international locations.
The an infection chain begins when a person opens the LNK file.
A Procmon hint reveals that embedded PowerShell scripts extract a number of payloads from throughout the .LNK itself.
Particularly, the script reads binary information from predefined offsets—0x0000102C for the decoy PDF, 0x0007EDC1 for a loader binary, 0x0015A851 for scripting instructions, and 0x0015AED2 for the ultimate payload.
These fragments are reconstructed into separate information (aio0.dat, aio1.dat, aio2.dat, and aio1+3.b+la+t) within the %TEMP% listing.
A batch file (aio03.bat) then invokes PowerShell Invoke-Command to load the ultimate payload fully in reminiscence, exemplifying fileless execution by way of reflective DLL injection.
The in-memory stage decodes the XOR-encrypted executable (aio01.dat) utilizing a single-byte key (0x35), allocates executable reminiscence with GlobalAlloc and VirtualProtect, and launches a brand new thread by way of CreateThread.
Evaluation of the extracted executable reveals basic ROKRAT malware behaviors: host fingerprinting (together with WOW64 checks, pc title, BIOS data), anti-VM file creation exams, screenshot seize routines, and a set of single-character instructions for distant shellcode execution, file exfiltration, system enumeration, and distant command execution.
The payload exfiltrates paperwork (e.g., .doc, .xls, .ppt, .pdf, .hwp) by mimicking professional browser file uploads to a hardcoded C2 endpoint at each day.alltop.asia, then deletes native copies to cowl its tracks.
Marketing campaign 2 contains a comparable LNK-based supply utilizing a decoy doc attributed to Kim Yō-jong’s July 28 assertion reported by KCNA.
The .LNK drops a Phrase doc (file.doc) and launches a extremely obfuscated PowerShell loader by way of tony33.bat and tony32.dat, which double-decodes a Base64 payload into an XOR-encrypted binary saved in tony31.dat.
As soon as decoded utilizing key 0x37, the payload executes straight in reminiscence, downloads further elements corresponding to abs.tmp from cloud storage, and persists by way of scheduled duties earlier than cleansing up staging information.
All through each campaigns, APT-37 leverages public cloud companies—Dropbox, pCloud, and Yandex.Disk—to host C2 channels.
The malware makes use of professional API endpoints for itemizing, importing, downloading, and deleting information, mixing malicious site visitors with regular cloud interactions.
This stealthy strategy underscores the group’s superior tradecraft and skill to evade conventional safety controls.
Seqrite Lab has dubbed this operation HanKook Phantom, combining “HanKook” (한국, Korea) with “Phantom” to mirror each the geographical focus and the stealthy, evasive strategies employed.
HanKook Phantom illustrates how state-sponsored actors proceed to refine spear-phishing methodologies, weaponize on a regular basis file codecs, and embrace fileless execution to take care of long-term entry.
Defenders should undertake proactive monitoring of LNK-based threats, improve detection of in-memory execution patterns, and scrutinize outbound HTTP uploads for anomalies in file kind and MIME headers.
Solely via layered defenses and menace intelligence sharing can organizations mitigate the persistent hazard posed by APT-37’s evolving arsenal.
Discover this Story Attention-grabbing! Observe us on LinkedIn and X to Get Extra Immediate Updates.
