North Korean APT37 Hackers Leverages Novel Malware to Infect Air‑Gapped Systems

Threat group APT37, which has ties to North Korea, has launched a sophisticated new campaign that uses a new set of malware tools that are specifically made to target computers that are not connected to the internet, which are long thought to be some of the most secure systems in the world This article explores security equipment ruby. . The Ruby Jumper campaign shows how state-backed hackers are ingeniously circumventing physical security measures that organizations rely on to safeguard their most sensitive data, and it also signifies a dramatic increase in the group's capabilities.

The well-known North Korean state-sponsored hacking group APT37, also known by the aliases ScarCruft, Ruby Sleet, and Velvet Chollima, has a track record of attacking defense companies, government agencies, and people connected to DPRK state interests.

The group used the Chinotto malware family for years to conduct data theft and espionage. Find additional tools for digital forensics. Manager of passwords Internet of Things security equipment However, the Ruby Jumper campaign presents a completely new toolkit consisting of five previously unreported malware components called RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE.

Each of these components is intended to play a distinct role in a multi-stage attack chain that eventually installs surveillance tools on isolated, air-gapped machines. The malware's Ruby-based execution environment is unintentionally launched when a user on a different computer clicks on what looks to be their own file, infecting the new host.

This is supported by SNAKEDROPPER, which creates a scheduled task called rubyupdatecheck that runs every five minutes to maintain persistence and disguises a complete Ruby 3.3.0 runtime environment as a USB speed utility called usbspeed.exe. Using a unique XOR-based key exchange protocol, the final payload, FOOTWINE, provides surveillance capabilities such as keylogging, audio and video capture, and full shell access over an encrypted C2 channel. The following actions should be taken by security teams and organizations in response to this campaign, particularly those in charge of air-gapped environments: Limit the use of removable media on all endpoints, particularly on high-security or air-gapped systems, and implement hardware-level controls whenever you can.

Audit all newly created scheduled tasks on endpoints and keep an eye out for scheduled tasks with odd names, such as rubyupdatecheck.