Researchers at Malwarebytes recently discovered North Korean advanced persistent threat group APT37 using what the security vendor describes as a method it has not seen other groups use before to distribute malware.

APT37 (aka ScarCruft, Reaper, and Group123) has been primarily targeting victims in South Korea since at least 2012. In the past, the threat actor has typically embedded its malware in South Korean word-processing app Hangul Office documents and distributed it to victims via weaponized emails.

Malwarebytes says its recent analysis of a malicious file that APT37 used in a campaign last year shows the threat actor has switched tactics. Instead of Hangul Office, the threat actor had used self-decoding VBA Office files to deliver malware on target systems.

The file that Malwarebytes analyzed showed the threat actor had encoded a malicious macro within another macro that it then dynamically decoded and executed within Microsoft Office memory, and without writing to disk.

This is the first time APT37 has used the VBA self-decoding technique to weaponize its malicious document, says Hossein Jazi, senior threat intelligence analyst at Malwarebytes.

"This is a really uncommon method used by this actor to deliver its payload," he says.

The final payload in this case was a variant of RokRat — a cloud-based remote access tool that has long been attributed to APT37.

Jazi says this is the first time Malwarebytes has observed any threat actor use the self-decoding technique; the reason it is important is because targeted organizations can have a hard time detecting such attacks.

Usually macros are only obfuscated, he says. Self-decoding requires another macro or so-called unpacker stub to decode the encoded macro, create another macro within memory space of the Microsoft Office document, and then execute that created macro to perform the main malicious activities.  

"This is something that we have not seen in APT campaigns," Jazi says.

Since the main malicious macro is decoded and executed dynamically, defenders would have a hard time understanding the main intent of the attack as well as how the attack is being executed.

"This technique can easily confuse static and signature-based detections since these methods can only have access to decoder macro or unpacker stub, and not the malicious one," he says.

In a report this week, Malwarebytes described APT37 as using the self-decoding technique in an attack back in January 2020. The malware was hidden in a document purporting to be a meeting request and was likely used to target a South Korean government organization.

MITRE and other groups that have tracked APT37 for a long time consider the threat actor to be working on behalf of the North Korean government. It has been associated with numerous campaigns, mostly in South Korea — and in recent years in multiple other countries, including Japan, Russia, China, and India. The group's known campaigns include Operation Daybreak, which targeted high-profile victims using a zero-day Flash Player exploit; Operation Erebus, a campaign that used watering-hole attacks to deliver Adobe Flash Player exploits; and Evil New Year 2018, an information-theft campaign that once again involved zero-day exploits.