CyberSecurity news
FlagThis
@cyberpress.org
//
The North Korea-linked threat group APT37 has been identified as the perpetrator of a sophisticated spear phishing campaign targeting activists and organizations focused on North Korean affairs. Genians Security Center researchers analyzed the campaign, dubbed "Operation: ToyBox Story," which involved the use of fake academic forum invites from a South Korean national security think tank to lure victims. The attackers leveraged Dropbox to deliver malicious LNK files, demonstrating an evolution in their attack methodology.
The spear phishing emails were cleverly disguised as invitations and information from a legitimate South Korean national security think tank, referencing real-world events such as "Trump 2.0 Era: Prospects and South Korea’s Response" to enhance credibility. These emails contained Dropbox links leading to compressed ZIP archives, which, upon extraction, harbored malicious shortcut (LNK) files. When a user opens the malicious LNK file, it initiates a multi-stage malware loader chain.
The campaign highlighted APT37's ongoing use of trusted cloud platforms like Dropbox as command and control (C2) infrastructure, a tactic known as "Living off Trusted Sites" (LoTS). This approach allows the attackers to blend malicious traffic with legitimate cloud service activity, complicating detection and response efforts. The malicious LNK files are designed to execute hidden PowerShell commands, which deploy a decoy document while simultaneously creating hidden files and ultimately injecting shellcode directly into memory to install a variant of the RoKRAT malware family. RoKRAT collects system information and allows for further exploitation of the victim's system.
ImgSrc: blogger.googleu
References :
The spear phishing emails were cleverly disguised as invitations and information from a legitimate South Korean national security think tank, referencing real-world events such as "Trump 2.0 Era: Prospects and South Korea’s Response" to enhance credibility. These emails contained Dropbox links leading to compressed ZIP archives, which, upon extraction, harbored malicious shortcut (LNK) files. When a user opens the malicious LNK file, it initiates a multi-stage malware loader chain.
The campaign highlighted APT37's ongoing use of trusted cloud platforms like Dropbox as command and control (C2) infrastructure, a tactic known as "Living off Trusted Sites" (LoTS). This approach allows the attackers to blend malicious traffic with legitimate cloud service activity, complicating detection and response efforts. The malicious LNK files are designed to execute hidden PowerShell commands, which deploy a decoy document while simultaneously creating hidden files and ultimately injecting shellcode directly into memory to install a variant of the RoKRAT malware family. RoKRAT collects system information and allows for further exploitation of the victim's system.
ImgSrc: blogger.googleu
Share:
References :
- cyberpress.org: The North Korea-linked threat group APT37 launched a sophisticated spear phishing campaign targeting activists and organizations focused on North Korean affairs. The attackers disguised their emails as invitations and information from a South Korean national security think tank, referencing real-world events such as “Trump 2.0 Era: Prospects and South Korea’s Response” to enhance credibility. These
- www.genians.co.kr: Genians Security Center (GSC) researchers analyse APT37's “Operation: ToyBox Story”, in which the group used fake academic forum invites from a South Korean security think tank to lure victims and delivered malicious LNK files via the Dropbox cloud platform.
Classification:
- HashTags: #APT37 #SpearPhishing #Dropbox
- Company: Genians Security Center
- Target: Activist and organizations
- Attacker: APT37
- Product: Dropbox
- Type: Hack
- Severity: Major