Analysis of malicious HWP cases of 'APT37' group distributed through K messenger

Description

The report details a sophisticated APT attack targeting South Korea, utilizing spear-phishing techniques and malicious HWP files distributed through a popular Korean messenger service. The APT37 group exploited trust-based tactics, using compromised accounts to spread malware through group chats. The malicious files contained OLE objects that executed PowerShell commands and shellcode, ultimately deploying the RoKRAT malware. This file-less attack method allowed for information gathering and potential remote control of infected systems. The attackers used pCloud for data exfiltration and command-and-control communication. The report emphasizes the importance of endpoint detection and response (EDR) systems to combat such evolving threats.