DistantNews
Support us
Malware Found in 'Academic Data Collection'; North Korea-Linked Hacking Group APT37 Identified
๐Ÿ‡ฐ๐Ÿ‡ท South Korea /Technology

Malware Found in 'Academic Data Collection'; North Korea-Linked Hacking Group APT37 Identified

From Dong-A Ilbo · () Korean

Translated from Korean, summarized and contextualized by DistantNews.

At a glance

News Named sources Under investigation
  • A hacking attack disguised as an academic conference brochure has been detected, targeting researchers and policy institutions.
  • The attackers used a PDF file containing malware, with North Korea-linked hacking group APT37 identified as the likely perpetrator.
  • The malware, a variant of RokRAT, steals user information and documents from infected computers.

A sophisticated phishing campaign has been uncovered, masquerading as an academic conference brochure to lure unsuspecting researchers and policy institutions. Security firm Genians Security Center (GSC) reported on June 13 that the attack, which occurred on May 22, utilized a seemingly legitimate PDF brochure as a delivery mechanism for malware.

The attackers exploited the details of a real academic conference, "Why is Wonsan-Kalma Tourism Important Now?" held at COEX in Seoul. They sent emails impersonating entities related to the unification sector, containing an attachment that appeared to be a PDF brochure. However, the link within the attachment led to a Dropbox download, providing an ISO image file. This file contained an executable disguised with a PDF icon and name, designed to display the actual conference materials upon opening, thereby avoiding suspicion.

This is an attack that uses sophisticated social engineering techniques and a multi-stage payload structure through spear phishing emails impersonating the distribution of actual academic conference materials.

โ€” GeniansDescribing the nature of the attack and the methods employed by the hackers.

Once executed, the malware silently embeds itself into the legitimate Windows process 'explorer.exe,' making it difficult to detect. It operates as a variant of the remote access trojan 'RokRAT.' This malicious software is capable of stealthily collecting operating system information, account details, running processes, and screen captures from the infected computer. Crucially, it can selectively exfiltrate various document types, including Word, Excel, PowerPoint, Hangul, and PDF files.

Genians identified North Korea-linked hacking group APT37 as the likely culprit behind this operation, which they've named "Operation Capsule Vault." The analysis is based on the use of identical accounts from a previous operation, "Operation Artemis," and significant similarities in how the malware processes commands, decrypts information, and communicates with servers. The firm stressed the need for enhanced detection systems that can track the entire attack chain, from initial phishing emails and cloud-based command-and-control communication to malware execution.

It is necessary to have a behavioral-based response system that can detect the entire attack process, including spear phishing emails and cloud-based C2 communication, not just IoC-based detection.

โ€” GeniansRecommending enhanced cybersecurity measures to counter such sophisticated attacks.
DistantNews Editorial

Originally published by Dong-A Ilbo in Korean. Translated, summarized, and contextualized by our editorial team with added local perspective. Read our editorial standards.