By rssfeeds-admin 
The operation, tracked as “Ruby Jumper,” introduces a novel malware toolkit designed to breach isolated, air-gapped environments via removable media.
APT37 has long targeted government entities, journalists, and individuals aligned with DPRK interests.
This latest campaign shows a clear evolution in capability, combining cloud-based command-and-control (C2), shellcode loaders, and USB-based propagation to bypass network isolation.
The infection begins with a malicious Windows shortcut (LNK) file. When opened, it silently launches PowerShell and extracts multiple embedded payloads.
These include scripts and encrypted shellcode that ultimately deploy an initial implant known as RESTLEAF.
RESTLEAF communicates with attackers through Zoho WorkDrive, marking the first observed abuse of that platform by APT37. It retrieves additional payloads and executes them in memory using process injection.
The campaign follows a structured infection flow:
LNK file → PowerShell loader → Shellcode injection → RESTLEAF → SNAKEDROPPER → THUMBSBD / VIRUSTASK → FOOTWINE / BLUELIGHT
A key innovation in this campaign is the deployment of a full Ruby runtime environment. The malware component SNAKEDROPPER installs Ruby 3.3.0 in the ProgramData directory and renames the interpreter to “usbspeed.exe” to appear legitimate.
It then replaces a standard Ruby file with malicious code to ensure automatic execution via a scheduled task.
All payloads are encrypted with a simple one-byte XOR routine and executed reflectively in memory. This reduces forensic artifacts and complicates detection.
Bridging The Air Gap
Two components, THUMBSBD and VIRUSTASK, enable the compromise of air-gapped systems.
THUMBSBD acts as a backdoor and command relay. It uses removable media as a covert C2 channel, creating hidden $RECYCLE.BIN folders on USB drives.
| Directory | Purpose |
|---|---|
| CMD | Validated command files |
| MCD | Incoming command staging |
| OCD | Removable media transfer |
| PGI | Downloaded C2 payloads |
| RST | Data for exfiltration |
| UEE | Malware updates |
| WRK | Temporary workspace |
Commands and stolen data are encrypted, transferred through USB devices, and executed once connected to another system. This effectively bridges network-segmented environments without direct internet access.
VIRUSTASK focuses on propagation. It infects removable drives by hiding legitimate files and replacing them with malicious shortcuts. When a victim clicks a file, the disguised Ruby interpreter executes embedded shellcode, infecting the new host.
Later in the chain, APT37 deploys FOOTWINE, a surveillance backdoor disguised as an Android package file. It supports keylogging, screenshot capture, audio recording, webcam monitoring, file manipulation, and remote shell access.
Communication with its C2 server at 144.172.106.66:8080 is encrypted using a custom XOR-based key exchange protocol.
| Command | Description |
|---|---|
| sm | Interactive shell |
| fm | File operations |
| dm | Screenshots, keystrokes |
| cm | Audio/video capture |
| pm | Process enumeration |
The campaign also delivers BLUELIGHT, a previously documented backdoor that uses legitimate cloud storage providers for C2 operations.
Why It Matters
According to Zscaler, this campaign demonstrates how APT37 continues to refine its tactics.
By combining LNK-based social engineering, in-memory shellcode execution, cloud infrastructure abuse, and USB-driven lateral movement, the group has developed a complete toolkit for infiltrating air-gapped systems.
| Indicator | SHA256 | Description |
|---|---|---|
| LNK file | 709d70239f1e9441e8e21fcacfdc5d08 | Initial vector |
| viewer.dat | ad556f4eb48e7dba6da14444dcce3170 | Shellcode+RESTLEAF |
| ascii.rb | 4214818d7cde26ebeb4f35bc2fc29ada | Shellcode+THUMBSBD |
| foot.apk | 476bce9b9a387c5f39461d781e7e22b9 | Shellcode+FOOTWINE |
Organizations should monitor the execution of shortcut files, the creation of unusual Ruby installations, the creation of scheduled tasks, and the presence of hidden directories on removable media.
Physical access controls and endpoint monitoring are critical defenses against this evolving threat.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post APT37 Targets Air-Gapped Networks With Novel Malware Strain appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.