Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/8/2020
04:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

North Korean Group Leverages Rarely Used Technique to Deliver Malware

APT37's VBA self-encoding method is hard to detect and stop, Malwarebyte says.

Researchers at Malwarebytes recently discovered North Korean advanced persistent threat group APT37 using what the security vendor describes as a method it has not seen other groups use before to distribute malware.

APT37 (aka ScarCruft, Reaper, and Group123) has been primarily targeting victims in South Korea since at least 2012. In the past, the threat actor has typically embedded its malware in South Korean word-processing app Hangul Office documents and distributed it to victims via weaponized emails.

Related Content:

Inside North Korea's Rapid Evolution to Cyber Superpower

How Data Breaches Affect the Enterprise

New From The Edge: Cartoon: Shakin' It Up at the Office

Malwarebytes says its recent analysis of a malicious file that APT37 used in a campaign last year shows the threat actor has switched tactics. Instead of Hangul Office, the threat actor had used self-decoding VBA Office files to deliver malware on target systems.

The file that Malwarebytes analyzed showed the threat actor had encoded a malicious macro within another macro that it then dynamically decoded and executed within Microsoft Office memory, and without writing to disk.

This is the first time APT37 has used the VBA self-decoding technique to weaponize its malicious document, says Hossein Jazi, senior threat intelligence analyst at Malwarebytes.

"This is a really uncommon method used by this actor to deliver its payload," he says.

The final payload in this case was a variant of RokRat — a cloud-based remote access tool that has long been attributed to APT37.

Jazi says this is the first time Malwarebytes has observed any threat actor use the self-decoding technique; the reason it is important is because targeted organizations can have a hard time detecting such attacks.

Usually macros are only obfuscated, he says. Self-decoding requires another macro or so-called unpacker stub to decode the encoded macro, create another macro within memory space of the Microsoft Office document, and then execute that created macro to perform the main malicious activities.  

"This is something that we have not seen in APT campaigns," Jazi says.

Since the main malicious macro is decoded and executed dynamically, defenders would have a hard time understanding the main intent of the attack as well as how the attack is being executed.

"This technique can easily confuse static and signature-based detections since these methods can only have access to decoder macro or unpacker stub, and not the malicious one," he says.

In a report this week, Malwarebytes described APT37 as using the self-decoding technique in an attack back in January 2020. The malware was hidden in a document purporting to be a meeting request and was likely used to target a South Korean government organization.

MITRE and other groups that have tracked APT37 for a long time consider the threat actor to be working on behalf of the North Korean government. It has been associated with numerous campaigns, mostly in South Korea — and in recent years in multiple other countries, including Japan, Russia, China, and India. The group's known campaigns include Operation Daybreak, which targeted high-profile victims using a zero-day Flash Player exploit; Operation Erebus, a campaign that used watering-hole attacks to deliver Adobe Flash Player exploits; and Evil New Year 2018, an information-theft campaign that once again involved zero-day exploits.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21392
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
CVE-2021-21393
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-29429
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.