The DPRK-affiliated syndicate APT37 has augmented its arsenal dedicated to breaching air-gapped networks. The Zscaler ThreatLabz vanguard has unmasked a novel campaign, christened Ruby Jumper, wherein malicious actors have synergized cloud service exploitation with the infection of removable media to infiltrate systems entirely devoid of direct internet connectivity.
Operating under aliases such as ScarCruft and Velvet Chollima, APT37 initiates its infection cascade via pernicious LNK files. Upon the execution of this shortcut, PowerShell extracts an array of embedded components; this payload includes an Arabic-language decoy article detailing the Palestinian-Israeli conflict, alongside clandestine loaders and shellcode. The culmination of this initial phase is the deployment of the RESTLEAF implant.
RESTLEAF leverages Zoho WorkDrive to establish communion with its command-and-control infrastructure. The malware secures an access token via hardcoded credentials, subsequently downloading ancillary code that it seamlessly injects into a benign system process. Upon execution, RESTLEAF materializes specialized beacon files within the cloud repository, serving as a clandestine signal of a successful compromise.
The subsequent phase is heralded by SNAKEDROPPER. This loader instantiates a comprehensive Ruby 3.3.0 environment within the ProgramData directory, masterfully cloaking the interpreter as the usbspeed.exe utility. SNAKEDROPPER then overwrites the systemic Ruby file, operating_system.rb, and integrates tasks into the Windows Task Scheduler, ensuring the relentless execution of its malicious payload at five-minute intervals. It is through this forged environment that two paramount modules—THUMBSBD and VIRUSTASK—are awakened.
THUMBSBD assumes dominion over data exfiltration and exchange between internet-facing hosts and sequestered network segments. The malware harvests comprehensive system telemetry, active processes, network configurations, and file topographies. It subsequently encrypts this intelligence utilizing a rudimentary XOR cipher, archiving the harvest within designated working directories. Upon the insertion of a USB flash drive, THUMBSBD conjures a concealed $RECYCLE.BIN directory, translocating commands or exfiltrated data files therein, effectively transmuting the physical media into a bidirectional command conduit.
VIRUSTASK is engineered to orchestrate lateral propagation across the air gap. The module surveys the available capacity upon the removable media, generates a clandestine $RECYCLE.BIN.USER directory, and insidiously replaces the victim’s legitimate files with malicious shortcuts bearing identical nomenclature. The invocation of such a shortcut triggers the counterfeit Ruby interpreter, which instantaneously executes the payload shellcode, thereby compromising the newly exposed machine.
In due course, THUMBSBD delivers the FOOTWINE backdoor, deceptively masquerading as a file bearing an APK extension. This formidable component boasts keystroke logging, screen capture capabilities, covert audio and video recording, as well as robust remote command execution and file manipulation faculties. To cloak its communications, FOOTWINE employs a proprietary, XOR-based cryptographic key exchange mechanism. This intricate chain of infection also integrates the historically documented BLUELIGHT malware, which maliciously co-opts Google Drive, Microsoft OneDrive, and myriad other cloud ecosystems for its command-and-control operations.
Zscaler’s analysts attribute the Ruby Jumper campaign to APT37 predicated upon a convergence of distinctive hallmarks: the deployment of a signature two-stage shellcode loader, the utilization of BLUELIGHT, and the aggressive exploitation of cloud-based platforms. This campaign unequivocally demonstrates that the North Korean syndicate is purposefully cultivating sophisticated armaments to circumvent network isolation, strategically pivoting toward physical media as a sovereign and formidable channel for remote command and control.
