The North Korean hacking group known as APT37 (also called ScarCruft) has been linked to a targeted social engineering campaign that uses Facebook to deliver the remote access trojan RokRAT.
According to a report from the Genians Security Center (GSC), the attackers set up two Facebook accounts with the location set to Pyongyang and Pyongsong, North Korea, and then used those accounts to send friend requests to targeted users to build relationships before moving the conversation to Messenger and then Telegram.
After developing trust, the actors executed a pretexting attack by telling the target they needed to download a special PDF viewer to view "military" documents that required special encryption. The ZIP file delivered contained a trojanized version of Wondershare PDFelement. When executed, the installer executed embedded shellcode, generated communication with a command and control server, and delivered a payload called RokRAT, which was hidden inside what appeared to be a JPG file.
This campaign is notable because it uses multiple layered evasion techniques:
1. A legitimate but compromised Japanese real estate website (japanroom[.]com) was being used as command and control communication.
2. The final payload was delivered as a disguised JPG file.
3. Command and control infrastructure was abused by using Zoho WorkDrive (a technique that has been observed in other recent campaigns).
RokRAT is a mature backdoor program that can capture your screen, run commands remotely, gather information about your system, and avoid detection by well-known security products such as 360 Total Security. Although many of its key functions remain unchanged, this group of attackers continues to refine the delivery and evasion techniques they employ.
What Makes This Campaign Significant
This operation is an example of APT37’s ongoing effort to combine social engineering techniques with advanced technologies. By establishing an initial contact via a reputable site like Facebook, and then gradually moving the target to a more discreet location (e.g., Messenger to Telegram), the attackers reduce the level of suspicion and improve the likelihood of success.
The underlying focus of this campaign is on individuals and organizations involved in intelligence and security issues, including but not limited to, South Korea and countries within the region that are involved in similar geopolitical events.
Recommendations
1. Caution is key when considering friend requests from unknown entities with minimal social media activity or potential for being within multiple hundred miles of your current location.
2. Do NOT download any program that has been sent via a message-based social network. Even if the file is needed to view a document, do not download it.
3. Ensure ALL files you receive, especially PDF viewers and other “special tools”, originate from a known source prior to opening them.
4. Utilize updated security products with robust heuristics and never enable macros or run executable files from unknown sources.
5. Organizations must educate all employees about social engineering techniques that begin on social networks.
This is a reminder that advanced persistent threats are increasingly using the human factor for entry points into corporate information networks and they may be able to bypass sophisticated security and technology if they can successfully manipulate the human element.
"Friend request" or "accept friend request" may be the start of a more comprehensive fraud scheme. Be vigilant.
Source: The Hacker News
