Introduction
In the ever-evolving landscape of cyber threats, state-sponsored attack organizations remain at the forefront of sophisticated cyber-espionage campaigns. One such group, APT37, also known as ScarCruft, Reaper, RedEye, and Ricochet Chollima, has been active since 2012. Originally targeting South Korean public organizations and private enterprises, they expanded their scope in 2017 to industries across Japan, Vietnam, the Middle East, and more. A recent discovery by the Knownsec 404 Advanced Threat Intelligence team has unveiled a new weapon in their arsenal: a Trojan named Fakecheck.
APT37: A Brief Overview
APT37 is suspected to be a state-sponsored attack organization from the peninsula region. Their primary targets have been public organizations and private enterprises in South Korea. However, their expansion in 2017 saw them targeting industries such as chemicals, electronics, manufacturing, aerospace, automotive, and healthcare across various regions.
Discovery of Fakecheck
During routine analysis activities, the Knownsec 404 team stumbled upon multiple CHM samples carrying malicious scripts. These samples led to the discovery of the Trojan, Fakecheck. Some security researchers attribute this Trojan to APT37. However, the TTPs (Tactics, Techniques, and Procedures) associated with this Trojan differ from the known intelligence on APT37, suggesting that this could either be a new set of TTPs used by APT37 or the workings of a completely new attack organization.
Attack Sample Analysis
The malicious CHM samples primarily targeted South Korea, with themes revolving around insurance, securities and finance, and communication bills. The CHM file contained a jse script, which, when executed, performed a series of operations:
- Decompiling the CHM and releasing files to a specific directory.
- Executing the decompiled Docs.jse, an encoded JavaScript script.
- Downloading data from a specified server.
Interestingly, the script had undergone upgrades in functionality, including enhanced string decoding functions and anti-virus software detection.
Fakecheck: The New Trojan
Named by the Knownsec 404 team for traceability, Fakecheck is a RAT (Remote Access Trojan) responsible for executing remote control. Its primary functions include:
- Retrieving disk information and collecting file data.
- Targeting user data from browsers like Chrome and Edge.
- Receiving and executing commands from a command and control (C&C) server.
Despite its seemingly simple operations, the complexity of the attacker’s code is gradually improving, suggesting that these activities might only represent the early to mid-stages of the attacker’s chain.
Attribution Challenges
While several security researchers attribute the attack to APT37, the KnownSec 404 team believes that there’s no direct evidence linking it to the TTPs used by APT37. The method of using CHM to load malicious code is not unique to APT37; other organizations, including Kimsuky, have employed similar techniques.
Conclusion
The discovery of Fakecheck highlights the ever-evolving tactics of state-sponsored attack organizations. While the primary target of these attacks remains uncertain, the bait documents used have broad applicability. The complexity of the attacker’s code, though currently low, is on an upward trajectory. As cyber incident responders, it’s crucial to continuously track such attack incidents, ensuring that we stay one step ahead of these threat actors.
References: