A surge in Advanced Persistent Threat (APT) attacks has been witnessed in Korea, with notable exploitation of malicious Hancom Office (HWP) and LNK files.
The APT37 group, a suspected state-sponsored organization, has leveraged these malware types in spear-phishing campaigns to infiltrate devices, collect sensitive data, and propagate secondary attacks.
These attacks have been primarily conducted through trusted communication platforms like K Messenger, highlighting the increasing complexity and precision of modern cyber threats.
Threat Flow
Throughout 2024, APT groups in Korea targeted organizations and individuals using diverse attack techniques, including spear phishing, watering hole attacks, and software supply chain infiltration.
The APT37 group has excelled in evading conventional antivirus (AV) systems by deploying sophisticated methods.
A key example is their use of HWP files enriched with malicious Object Linking and Embedding (OLE) objects and LNK files embedded with PowerShell commands delivered via ZIP archives.
A recent attack involved the distribution of two malicious files an HWP document discussing geopolitical topics and a ZIP file containing an LNK shortcut.
The attackers sent these files via K Messenger group chats, exploiting users’ trust in files shared within familiar circles.
Once opened, these files initiated a sequence of reconnaissance activities, including terminal data collection and the distribution of secondary malicious payloads within the messenger platform, creating a cascading effect of infection.
Advanced Malware Mechanics
The attack methodology reveals the use of HWP files with hidden OLE objects that exploit user trust.
When executed, these objects trigger malicious scripts, such as a batch file (lexus.bat), which employs encoded PowerShell commands to extract sensitive information and establish a fileless malware operation.
The malicious code targets the Windows environment, bypassing Android systems but still posing risks through APK installations from unofficial sources.
The LNK files operate by disguising their appearance to resemble harmless documents, embedding executable scripts that execute upon opening.
These files, often exceeding 10 MB in size, are strategically designed to lure unsuspecting users into activating malicious commands.
The PowerShell scripts further obfuscate their operations, leveraging XOR encryption to unpack shellcode and execute the RoKRAT malware in memory.
This malware pilfers login credentials, accesses online messaging platforms, and relays data to command-and-control (C2) servers hosted on commercial cloud services like pCloud.
Endpoint Detection and Response (EDR) solutions have become essential in combating such advanced threats.
Genian EDR, for instance, has demonstrated proficiency in identifying and mitigating these attacks by monitoring abnormal process execution and detecting anomalies based on behavior rules.
Its rapid response capabilities block malicious activities at the initial stages, ensuring endpoint security against fileless malware and C2 network communication attempts.
The APT37 group’s reliance on fileless attack mechanisms and identity-based trust exploitation highlights the urgent need for organizations to adopt proactive defenses.
Strengthening multi-stage security systems, implementing anomaly detection, and educating users about phishing risks remain critical.
The APT37 group’s continued use of sophisticated malware underscores the evolving nature of cyber threats in Korea.
Security policies must prioritize early detection of irregularities in device behavior and ensure robust endpoint defenses.
As attackers refine their strategies, a vigilant and adaptive approach to cybersecurity is imperative to safeguard sensitive systems and data.
 attacks has been witnessed in Korea, with notable exploitation of malicious Hancom Office (HWP) and LNK files.){kind=link}