An ongoing cyber attack campaign, known as STARK#MULE, has targeted Korean-speaking individuals using U.S. Military-themed document lures to trick them into running malware on compromised systems. The attacks are attributed to APT37, a North Korean nation-state actor known for targeting South Korea, particularly government officials and those involved in reporting on North Korea and supporting defectors. The group has historically relied on social engineering to phish victims and deliver malware, but recent campaigns have showcased an expansion of offensive tactics, including the use of compromised Korean e-commerce websites for staging payloads and command-and-control (C2) operations to evade detection by security solutions.
The phishing emails in this campaign use U.S. Army recruitment messages to convince recipients to open ZIP archive files, containing a decoy PDF and a rogue “Thumbs.db” file that executes further stagers and establishes persistence. The attack utilizes modules retrieved from compromised e-commerce websites to gather system details and establish connections. The disclosure comes alongside APT37’s use of CHM files in phishing emails impersonating security communications to deploy information-stealing malware and other binaries.
APT37 is part of a group of North Korean state-sponsored actors, including the Lazarus Group, known for perpetrating financial theft and gathering intelligence for political and national security objectives.
The Lazarus Group and its sub-clusters, Andariel and BlueNoroff, have been observed leveraging a new backdoor called ScoutEngine and a rewritten version of the MATA framework (MATAv5) in intrusions targeting defense contractors in Eastern Europe.
Kaspersky describes the malware as sophisticated, with advanced architecture that makes use of loadable and embedded modules and plugins, employing Inter-Process Communication (IPC) channels and a diverse range of commands to establish proxy chains across various protocols within the victim’s environment. With the rise of cyber threats from state-sponsored actors like APT37 and Lazarus Group, users are advised to be cautious of phishing emails and refrain from opening attachments from unknown sources to avoid falling victim to sophisticated cyber attacks.
