May 03, 2022

APT37 Targeting Journalists and Researchers

Industry: Media | Level: Tactical | Source: Stairwell

NK News, an American news source reporting activities in North Korea, has identified of suspicious spear-phishing emails as a threat campaign by the North Korean threat group, APT37/Richochet Chollima. The campaign appears to be targeting journalists and researchers reporting sensitive issues within the country. The news organization engaged Stairwell’s cybersecurity team, in March 2022, discovering a new malware named, GOLDBACKDOOR. The threat group employs a multi-stage infection process to evade defenses. A compressed file is attached to the suspicious email containing Windows LNK, shortcut files. When the shortcut files are executed, PowerShell scripts are launched presenting a decoy document to distract the victim whilst downloading and executing malicious shellcode. The downloaded payload, Fantasy, then conducts process injection to deploy GOLDBACKDOOR malware. GOLDBACKDOOR, is identified as a Windows Portable Executable (PE) file with a creation timestamp of February 9th, 2022, 02:38:30 UTC. As analyzed by Stairwell, “Embedded in the analyzed copy of GOLDBACKDOOR is a set of API keys used to authenticate against Azure and retrieve commands for execution. Received commands are prefixed with a single-character value, which denotes the corresponding task requested of the malware. GOLDBACKDOOR provides attackers with basic remote command execution, file downloading/uploading, keylogging, and the ability to remotely uninstall.”

  • Anvilogic Scenario: APT37 – GOLDBACKDOOR – Initial Infection
  • Anvilogic Use Cases:
    • Compressed File Execution
    • Symbolic OR Hard File Link Created
    • Suspicious Executable by CMD.exe
    • Invoke-Expression Command
    • Rare Remote Thread