Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation ToyBox Story)

SUMMARY :

APT37, a North Korean state-sponsored hacking group, launched a spear phishing campaign targeting activists focused on North Korea. The attack involved emails with Dropbox links to malicious LNK files, which when executed, activated additional malware. The group utilized legitimate cloud services as Command and Control servers, a tactic known as 'Living off Trusted Sites.' The malware, identified as RoKRAT, collected system information, captured screenshots, and exfiltrated data to cloud-based C2 servers. The campaign, named 'Operation: ToyBox Story,' employed sophisticated techniques including fileless attacks and multiple encryption layers to evade detection. The threat actors impersonated academic events and used decoy documents to lure targets, highlighting the need for advanced endpoint detection and response solutions.

OPENCTI LABELS :

north korea,spear phishing,lnk files,rokrat,south korea,cve-2022-41128,national security,cloud c2,fileless attacks


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation ToyBox Story)