The Unintentional Leak: A glimpse into the attack vectors of APT37

Summary

At Zscaler ThreatLabz, we have been closely monitoring the tools, techniques and procedures (TTPs) of APT37 (also known as ScarCruft or Temp.Reaper) - a North Korea-based advanced persistent threat actor. This threat actor has been very active in February and March 2023 targeting individuals in various South Korean organizations.

During our threat hunting research, we came across a GitHub repository which is owned by a member of the threat actor group. Due to an operational security (OpSec) failure of the threat actor, we were able to access a wealth of information about the malicious files used by this APT group along with the timeline of their activities dating as far back as October 2020.

Recently, Sekoia shared their findings of the toolset of APT37 here. In our blog, we disclose additional details which we found as a result of our in-depth investigation of the threat actor's GitHub repository.

The large number of samples we identified through the attacker's GitHub repository are not present on OSINT sources such as VirusTotal either. This allowed us to get more insights into this threat actor's previously undocumented attack vectors, motives, targets and the themes used.

In this blog, we will provide a high-level technical analysis of the infection chain, the new loaders we identified and a detailed analysis of the themes used by this APT group, discovered while reviewing the GitHub commit history. Even though the threat actor routinely deletes the files from the repository, we were able to retrieve all the deleted files and do an analysis of them.

Key Takeaways

• APT37 is a North Korea-based advanced persistent threat actor which primarily targets individuals in South Korean organizations.
• Its main objective is cyber espionage and it achieves this through data exfiltration of selected file formats of interest to the threat actor
• It distributes the Chinotto PowerShell-based backdoor using various attack vectors.
• We discovered the GitHub repository of APT37 and uncovered many previously undocumented attack vectors, artifacts and themes used by this group
• File formats abused by APT37 include Windows help file (CHM), HTA, HWP (Hancom office), XLL (MS Excel Add-in) and macro-based MS Office files.
• In addition to distributing malwares, this group is also focused on credential phishing attacks
• The group has resumed its activity in the second half of Jan 2023 and since then is actively targeting users in South Korea through spear phishing emails
• For C2 infrastructure, it often compromises South Korea-based bulletin board system (BBS) websites and uses them
• The group is constantly evolving its tools, techniques and procedures while experimenting with new file formats and methods to bypass security vendors

Attack Chain

There are multiple attack vectors used by APT37 in this campaign. Figure 1 and Figure 2 show 2 examples of the attack-chain. The other attack vectors we have described in the "Recent TTPs" section.

 

Figure 1: attack-chain using CHM file format to kick start the infection chain

Figure 2: attack-chain using the MS Office Excel add-in to kick start the infection chain

Opsec failure by APT37

Threat actor's GitHub repository overview

Our initial discovery was the GitHub repository of APT37 which was used to stage several malicious payloads. Figure 3 shows a preview of the threat actor's GitHub repository

Figure 3: GitHub account of the threat actor

The contents of the Readme file are chosen to appear as an Android software related repository. At the end of the Readme file, we noticed a base64-encoded string, preceded by a tag

While reviewing the commit history, we noticed that the threat actor often updates this encoded string. While we were not able to identify the exact usage of this encoded string, we believe it will be fetched by a payload on the endpoint.

Figure 4 shows a GitHub commit where the threat actor is updating the encoded token.

Figure 4: GitHub commit which shows threat actor updating the encoded token in the README

Recovery of deleted files

When we reviewed the commit history of the GitHub repository, we noticed that the threat actor frequently deleted malicious files from it. Figure 5 shows commit logs related to the delete events.

Figure 5: GitHub commit history showing the files being deleted routinely by the threat actor

We traced this commit history all the way to its origin, and observed that the first commit happened in October 2020. This was surprising to us since the threat actor was able to maintain a GitHub repository, frequently staging malicious payloads for more than 2 years without being detected or taken down.

Figure 6 shows the first commit in the commit history logs.

Figure 6: First commit in the GitHub account. Activity started in October 2020

Our next step was to retrieve all the deleted files from the GitHub repository. We have included the list of hashes and the original filenames in the indicators of compromise (IOCs) section.

Themes and target analysis

This wealth of information retrieved from the GitHub repository gave us a lot of insight into the types of themes used by the threat actor as social engineering lures and we were able to make an educated guess about the potential targets of the campaign.

Per our analysis of the file names, and the decoy contents, we have summarized the themes below along with examples. This is not an exhaustive list

 

 

Examples of decoy themes

We have included below a few decoy themes used by the threat actor. These are samples not yet documented in the public domain. So, we hope to share more insights into the themes used in the campaign through this information.

Geopolitics

Figure 7 shows a decoy file related to INSS (Institute of National Security Strategy) in South Korea. This decoy PDF was sent along with a CHM file inside the archive file with the name: [INSS] National Security and Strategy (Winter 2022).rar

Figure 7: Decoy related to geopolitics theme

Education and academic institutes

Figure 8 shows a decoy file related to examination questions on the topic of Korean Economic Development

Figure 8: decoy related to education theme

Finance

Figure 9 shows a decoy file related to the Hanwha General Insurance - a major insurer in South Korea. This decoy file was sent along with the CHM file in an archive file - BoanMail.rar

Figure 9: decoy related to finance theme

Recent TTPs

Attack vector - CHM

It is well-known that APT37 uses a Chinotto PowerShell-based backdoor which is deployed on the endpoint through a malicious Windows help file (CHM). These CHM files are distributed inside archive files. Most of these archive files contain two components - the malicious CHM file and the decoy file to be displayed to the victim.

In most cases, the decoy files are password-protected. The password to open the decoy file is displayed by the CHM file.

Figure 10 below shows an example of code inside the CHM file which is responsible for displaying the decoy file to the victim, downloading a malicious HTA file from the attacker's server and executing it.

Figure 10: code inside the CHM file used to launch MSHTA and download HTA

New attack vector - MS Excel Add-in

So far in most of the campaigns of APT37 deploying Chinotto PowerShell backdoor, they have leveraged CHM files distributed inside archive files.

Interestingly, on March 15th 2023, around the time of our investigation, the threat actor uploaded a malicious Microsoft Excel Add-in to the GitHub repository. This Add-in is an XLL file. XLL files are DLLs which function as an add-in for the Microsoft Excel application.

We haven't seen this attack vector used by APT37 before and we believe this to be the first case being documented.

Technical analysis of the XLL file

For the purpose of technical analysis, we will use the XLL file with MD5 hash: 82d58de096f53e4df84d6f67975a8dda

XLL files get activated when they are loaded by the MS Excel application. There are various callback functions provided by Microsoft which allow the XLL file to communicate with the Excel application. One of the most common functions is xlAutoOpen() which is called as soon as the DLL is loaded and activated by the MS excel application.

Figure 11 below shows the code present in the XLL file in our case.

Figure 11: xlAutoOpen() subroutine of the malicious MS Office Excel add-in

Below are the main steps performed by this XLL file.

• Extracts an XLS file from the entry called "EXCEL" in its resource section and drops it on the filesystem in the path: C:\programdata\20230315_SejeongSupport.xls
   
• Displays the above dropped XLS file that is a decoy and used as a social engineering lure
   
• Launches MSHTA to download an HTA file from the URL: hxxp://yangak[.]com/data/cheditor4/pro/temp/5.html

This HTA file contains the PowerShell backdoor called Chinotto

Ultimately, we see that the goal of this XLL file is also to deploy the Chinotto PowerShell backdoor. However, instead of using the CHM file, it now uses the XLL file.

Attack vector - LNK

We recovered some LNK files from the GitHub repository which were uploaded in August 2022 and apparently used in in-the-wild attacks around the same timeframe. These LNK files were present inside RAR archives. Along with the LNK file, an HTML file was present masquerading as a sign-in page of the South Korean company - LG.

The two LNK files we observed, both used dual extensions - "html.lnk" and "pdf.lnk".

These LNK files were used to execute MSHTA and download the malicious HTA file from the attacker's server. Rest of the attack-chain is similar to other cases which finally leads to the Chinotto PowerShell-based backdoor.

We analyzed the metadata of the LNK file with LECmd tool and noticed that both the LNK files were generated on a Virtual Machine running VMWare and with a Mac address of: 00:0c:29:41:1b:1c

Since the threat actor reused the same Virtual Machine to generate multiple payloads, this information could be useful for threat hunting and threat attribution purposes in future.

Figure 12 and 13 show the outputs of LECmd tool highlighting the target command executed by the LNK and other important metadata

Figure 12: LNK target command line and metadata extracted using LECmd

Figure 13: LNK machine details extracted using LECmd

Figure 14 shows the decoy HTML file which is packaged along with the LNK file inside the same archive.

Filename: LG유플러스_이동통신_202208_이_선.html
Translation: U+_Mobile_Communication_202208_Lee_Seon.html

Figure 14: decoy file related to LG

Attack vector - Macro-based MS office file

In March 2022, a macro-based MS office Word file was uploaded to the GitHub repository. This macro would launch MSHTA to download the PowerShell-based Chinotto backdoor as well. The target URL from where the HTA file is fetched is also the same as the previous case. This shows that the threat actor uses multiple initial file formats and attack vectors to deploy the same backdoor.

Filename: NEW(주)엠에스북스 사업자등록증.doc
Filename translation: NEW MS Books Business Registration Certificate.doc

Figure 15 shows the relevant VBA macro code.

Figure 15: VBA macro used to launch MSHTA to download the malicious HTA file

Attack vector - HWP file with embedded OLE object

Another attack vector used by APT37 to deploy Chinotto PowerShell-based backdoor on the endpoint is using HWP files with embedded OLE objects. These OLE objects contain a malicious PE32 binary which executes MSHTA to download a PowerShell-based backdoor from the C2 server.

When viewed with Hancom Office, the embedded OLE objects take the form of a clickable element in the document's body.

APT37 makes use of misleading bait images to entice the user to click on the OLE object elements, an action required to cause the execution of the malicious PE payloads inside these objects.

Figure 16 shows an example of such a document, as it appears in Hancom Office.

Figure 16: Malicious HWP document by APT37. The Korean-language dialog is fake - it’s in fact an OLE object represented by a static image of a dialog. When it’s clicked, a real dialog pops up - prompting the user to confirm the execution of the payload.

Rest of the attack-chain is similar to the previous cases.

For the purpose of technical analysis, we will consider the HWP file with MD5 hash: a4706737645582e1b5f71a462dd01140

Filename: 3. 개인정보보완서약서_북주협.hwp
Translated filename: 3. Personal Information Security Pledge_Bukjuhyeop.hwp

Figure 17 shows the OLE object stream present inside the HWP file.

Figure 17: malicious OLE object stream present inside the HWP file

Object streams in HWP files are zlib compressed. After decompressing, we extracted the PE32 binary from it.

MD5 hash of the extracted binary: d8c9a357da3297e7ccb2ed3a5761e59f
Filename: HancomReader.scr
PDB path: E:\Project\windows\TOOLS\RunCmd\Release\RunCmd.pdb

Figure 18 shows the relevant code in HancomReader.scr

Figure 18: Relevant code in HancomReader.scr used to download and execute the PowerShell backdoor

Zscaler Sandbox Detection

Figure 19 shows the HTA file detection in the Zscaler sandbox.

Figure 19: Zscaler Cloud Sandbox report

Figure 20 shows the detection for the macro-based MS Office Word file in Zscaler sandbox.

Figure 20 shows the macro-based document file detection in Zscaler sandbox.

In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various levels:

HTA.Downloader.Chinotto
VBA.Downloader.Chinotto
Win32.Backdoor.Chinotto

Conclusion

As we discussed in this blog, APT37 is a threat actor heavily focused on targeting entities in South Korea. It is constantly updating its tactics, techniques and procedures as is evident from the multiple file types used in the initial stages by it. The themes used by this threat actor range from geopolitics, current events, education to finance and insurance.

It is also particularly interested in current events and activities related to the Korean peninsula.

We will continue monitoring the activities of this threat actor and ensure our customers are protected against APT37.

Indicators Of Compromise (IOCs)

Archive file hashes
 

CHM file hashes
 

LNK files

Appendix

# Please note that most of the HWP files mentioned below are clean decoy files used by the threat actor. The original filenames are included to give the reader insights into the themes used.