Latest news with #APT37
Forbes
04-08-2025
- Forbes
Microsoft Windows Is Being Hacked If You See These JPEG Images
Microsoft users have every right to consider themselves somewhat bombarded by hackers. What with the recent global SharePoint attack, confirmation of the FileFix Windows security bypass, and the FBI issuing a critcial warning to activate 2FA in response to the Interlock ransomware threat. Now Windows users have been issued another warning about a threat hiding in plain sight that weaponizes JPEG image files to attack. Here's what you need to know about the APT37 RoKRAT remote access trojan. Windows Users Warned As Microsoft Paint And JPEG Images Used In Latest Hack Attacks When you think of sophisticated hack attacks, the chances are that the much-derided MS Paint application and the use of basic JPEG images do not immediately spring to mind. Yet here we are, with a critical warning being issued as an advanced threat group colloquially known as Reaper, but more formally identified as APT37, using just these tools to deploy a truly dangerous remote access trojan called RoKRAT. You might be more used to reading about images stolen by hackers than deployed by them as an integral part of an attack, but the risk is very real indeed as security researchers at the Genians Security Center have warned. The latest RoKRAT attack report has revealed how the APT37 hackers are using steganography to obfuscate malware code, which is then injected into the MS Paint process during the Microsoft Windows cyberattacks. Why do this? Because it makes detection, and therefore prevention, much harder. APT37 'employs a two-stage encrypted shellcode injection method to hinder analysis,' the researchers warned, with downloaded images as part of the attack. The report said the malware analysts observed that 'the RoKRAT module is embedded within the JPEG image format.' The RoKRAT attack module itself was concealed, the researchers said, in images named downloaded from a Dropbox drive. There were two photos of a man, a harmless version of which can be viewed within the report itself, but 'the underlying malware structure remained the same.' What Is Steganography? Steganography, from the Greek steganographia, combining words meaning concealed and writing, is just that: the 'art' of concealing information within a different medium so that it is not immediately evident to even a skilled observer. In the world of cybersecurity, steganography is most commonly seen, or not, of course, as malicious code hiding within a seemingly harmless image. This is not a new technique by any means. I feel a confession coming on. Some 25 years ago, someone looking very much like me employed just such a technique to capture keyboard output and hide it in an image file for later extraction. Hackers have known about and deployed steganography forever. Which does not make it an outdated technique or any the easier to detect when looking for malicious code. And that, dear reader, is why the APT37 attackers are deploying it in these latest RaKRAT campaigns. 'When shellcode is injected into the process to perform a fileless attack,' the researchers warned, 'detection by signature- or pattern-based security solutions may be difficult.' But a mature Endpoint Detection and Response solution can identify 'external communications initiated via shellcode and the Dropbox API,' which would quickly halt the Microsoft Windows attack. For mere mortals without access to such enterprise tools, there's another mitigation method: beware of the phishing tactics used initially to distribute the malware. These consist of compressed archives containing Windows shortcut links. You can read about mitigating Microsoft LNK cyberattacks here. I have reached out to Microsoft for a statement rearing the latest APT37 campaign. In the meantime, a spokesperson previously advised that: 'Windows identifies LNK shortcut files as a potentially dangerous file type, which means that when a user attempts to open one that had been downloaded from the internet, a security warning is automatically triggered. This warning, quite correctly, advises the user not to open files from unknown sources. We strongly recommend heeding this warning.'
Yahoo
12-03-2025
- Yahoo
Suspected North Korean Hackers Infiltrate Google Play With 'KoSpy' Spyware
PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing. Newly discovered spyware, possibly from a North Korean hacking group, was found circulating on the Google Play Store. The spyware programs, dubbed "KoSpy," were masquerading as utility apps. But once installed, they secretly collected a wide range of data from Android devices, including SMS messages and screenshots, to cybersecurity vendor Lookout Mobile Security. Lookout says it has "medium confidence" that KoSpy is linked to North Korean hacking groups such as APT37/, which has often focused on cyber espionage. KoSpy targets apps that are in Korean and English. It infiltrated Google Play as an app called "File Manager - Android." Google has since removed the app, which only attracted about 10 downloads. "The use of regional language suggests this was intended as targeted malware," a Google spokesperson tells us. "Before any user installations, the latest malware sample discovered in March 2024 was removed from Google Play. Google Play Protect automatically protects Android users from known versions of this malware on devices with Google Play Services, even when apps come from sources outside of Play." In total, Lookout found KoSpy using five different names: 휴대폰 관리자 (Phone Manager), File Manager, 스마트 관리자 (Smart Manager), 카카오 보안 (Kakao Security), and Software Update Utility. The malicious apps usually feature a basic interface that can access an Android phone's internal settings. In others, the fake apps merely display a dummy system window asking for device permissions. The spyware secretly communicates with a hacker-controlled server before downloading various plugins designed to snoop on and collect data from the Android device. In addition, the spyware can configure itself to display messages to the user in Korean or English. Although the spyware dates back to at least March 2022, the most recently recovered sample was collected in March 2024. The command and control servers for the spyware were also found to be inactive, so KoSpy may be retired. "Some of the samples of KoSpy were available for download from the Google Play Store alongside the third-party app store Apkpure. However, no app is currently publicly available on Google Play Store," Lookout says. Google confirms that all of the apps identified were removed from Google Play. Their Firebase projects were also taken down. Lookout also attributed KoSpy to APT37 since one of the domains that the spyware reaches out to resolves to an IP address in South Korea that's been associated with hacking activities from APT37 and another North Korean hacking group, APT43. 'North Korean threat actors are known to have overlapping infrastructure, targeting, and TTPs (tactics, techniques, and procedures), which makes attribution to a specific actor more difficult,' Lookout says.
