APT37 Breaches Air-Gapped Networks with New Malware
▼ Summary
– The Ruby Jumper cyber campaign, attributed to North Korean state-backed group APT37, uses new tools to breach air-gapped systems and spread via removable drives.
– The attack begins with a malicious Windows shortcut file that deploys a PowerShell script, loading the RESTLEAF implant to communicate with command-and-control servers.
– A key component, SNAKEDROPPER, installs a disguised Ruby environment to download further malware like the THUMBSBD backdoor and VIRUSTASK spreader.
– THUMBSBD turns USB drives into covert communication relays, allowing data theft from and command delivery to isolated networks, while VIRUSTASK infects new machines via those drives.
– Researchers attribute the campaign to APT37 with high confidence based on malware signatures, infrastructure, and decoy documents aligning with the group’s known targets.
A sophisticated cyber espionage campaign is actively targeting organizations with air-gapped networks, a critical security measure used in sensitive environments. North Korean state-sponsored hackers, tracked as APT37, are deploying a novel toolkit named Ruby Jumper to breach isolated systems. This operation leverages removable USB drives to create a covert bridge between internet-connected and physically segregated networks, enabling both data theft and the delivery of malicious commands.
The campaign utilizes a chain of five distinct malicious tools. The infection typically begins when a user opens a malicious Windows shortcut file (LNK), which executes a PowerShell script. This script deploys the malware while displaying a decoy document, an Arabic translation of a North Korean newspaper article, to avoid raising suspicion. The first payload, RESTLEAF, establishes communication with the attacker’s command-and-control servers, often using the legitimate cloud service Zoho WorkDrive for camouflage.
From there, RESTLEAF fetches encrypted shellcode to download SNAKEDROPPER, a loader written in the Ruby programming language. The attackers ingeniously install the entire Ruby 3.3.0 runtime environment on the victim’s machine, disguising it as a USB utility. A scheduled task ensures the malicious Ruby code runs automatically every five minutes. This setup then downloads two key components: the THUMBSBD backdoor and the VIRUSTASK malware.
THUMBSBD serves a pivotal function in bridging the air gap. It scouts the system for connected USB drives, creates hidden directories on them, and prepares files for exfiltration. This technique transforms ordinary removable media into a bidirectional covert channel, allowing APT37 to send instructions to and steal data from computers that have no direct internet connection.
Meanwhile, VIRUSTASK is responsible for propagating the infection to other air-gapped machines. It weaponizes USB drives by hiding legitimate files and replacing them with malicious shortcuts. These shortcuts, when opened on a new computer, execute the embedded Ruby interpreter to begin the infection chain anew. The malware is programmed to only activate if the removable drive has at least 2GB of free space, ensuring it has room to operate.
The toolkit also includes FOOTWINE, a powerful Windows spyware backdoor disguised as an Android file. This component provides the attackers with extensive surveillance capabilities, including keylogging, screenshot capture, and audio/video recording. Researchers also identified the use of BLUELIGHT, a full-featured backdoor previously linked to APT37, within the same campaign.
Security analysts attribute the Ruby Jumper campaign with high confidence to the North Korean group APT37, also known as ScarCruft. The evidence includes the use of the BLUELIGHT malware, the reliance on LNK files as an initial vector, a specific two-stage shellcode delivery method, and command-and-control infrastructure patterns consistent with the group’s past operations. The nature of the decoy document further suggests the targets have an interest in North Korean media, aligning with APT37’s typical victim profile in government and research sectors.
(Source: Bleeping Computer)
