Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:15 PM
Connect Directly

North Korean Group Leverages Rarely Used Technique to Deliver Malware

APT37's VBA self-encoding method is hard to detect and stop, Malwarebyte says.

Researchers at Malwarebytes recently discovered North Korean advanced persistent threat group APT37 using what the security vendor describes as a method it has not seen other groups use before to distribute malware.

APT37 (aka ScarCruft, Reaper, and Group123) has been primarily targeting victims in South Korea since at least 2012. In the past, the threat actor has typically embedded its malware in South Korean word-processing app Hangul Office documents and distributed it to victims via weaponized emails.

Related Content:

Inside North Korea's Rapid Evolution to Cyber Superpower

How Data Breaches Affect the Enterprise

New From The Edge: Cartoon: Shakin' It Up at the Office

Malwarebytes says its recent analysis of a malicious file that APT37 used in a campaign last year shows the threat actor has switched tactics. Instead of Hangul Office, the threat actor had used self-decoding VBA Office files to deliver malware on target systems.

The file that Malwarebytes analyzed showed the threat actor had encoded a malicious macro within another macro that it then dynamically decoded and executed within Microsoft Office memory, and without writing to disk.

This is the first time APT37 has used the VBA self-decoding technique to weaponize its malicious document, says Hossein Jazi, senior threat intelligence analyst at Malwarebytes.

"This is a really uncommon method used by this actor to deliver its payload," he says.

The final payload in this case was a variant of RokRat — a cloud-based remote access tool that has long been attributed to APT37.

Jazi says this is the first time Malwarebytes has observed any threat actor use the self-decoding technique; the reason it is important is because targeted organizations can have a hard time detecting such attacks.

Usually macros are only obfuscated, he says. Self-decoding requires another macro or so-called unpacker stub to decode the encoded macro, create another macro within memory space of the Microsoft Office document, and then execute that created macro to perform the main malicious activities.  

"This is something that we have not seen in APT campaigns," Jazi says.

Since the main malicious macro is decoded and executed dynamically, defenders would have a hard time understanding the main intent of the attack as well as how the attack is being executed.

"This technique can easily confuse static and signature-based detections since these methods can only have access to decoder macro or unpacker stub, and not the malicious one," he says.

In a report this week, Malwarebytes described APT37 as using the self-decoding technique in an attack back in January 2020. The malware was hidden in a document purporting to be a meeting request and was likely used to target a South Korean government organization.

MITRE and other groups that have tracked APT37 for a long time consider the threat actor to be working on behalf of the North Korean government. It has been associated with numerous campaigns, mostly in South Korea — and in recent years in multiple other countries, including Japan, Russia, China, and India. The group's known campaigns include Operation Daybreak, which targeted high-profile victims using a zero-day Flash Player exploit; Operation Erebus, a campaign that used watering-hole attacks to deliver Adobe Flash Player exploits; and Evil New Year 2018, an information-theft campaign that once again involved zero-day exploits.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...