Numerous file formats are being leveraged by North Korean advanced persistent threat group APT37, also known as Reaper, RedEyes, Scarcruft, and Ricochet Chollima, to facilitate malware distribution efforts, reports The Hacker News.
While APT37 was initially reported by ASEC to be using HWP files to deploy the M2RAT backdoor, the threat operation has been discovered by Zscaler researchers to be distributing malware through macro-based Microsoft Office documents, as well as Microsoft Compiled HTML Help, LNK, HTA, and XLL files.
Such methods have enabled the deployment of the Chinotto malware, which has been updated to allow screenshot capturing and keylogging, with obtained data exfiltrated to a remote server, according to the Zscaler report. APT37 also had its malicious activity evade detection for over two years, researchers noted.
"The group is constantly evolving its tools, techniques, and procedures while experimenting with new file formats and methods to bypass security vendors," said researchers.
Aside from featuring over 40 million signals from the DNS Research Federation's data platform and the Global Anti-Scam Alliance's comprehensive stakeholder network, the Global Signal Exchange will also contain more than 100,000 bad merchant URLs and one million scam signals from Google.
While some threat actors established fraudulent disaster relief websites as part of phishing attacks aimed at exfiltrating financial details and Social Security numbers from individuals seeking aid, others impersonated Federal Emergency Management Agency assistance providers to create fake claims that enabled relief fund and personal data theft.
Malicious GitHub pages and YouTube videos containing links for purported cracked office software, automated trading bots, and game cheats, have been leveraged to facilitate the download of self-extracting password-protected archives.