Full Report
North Korean hackers are deploying newly uncovered tools to move data between internet-connected and air-gapped systems, spread via removable drives, and conduct covert surveillance. [...]
Analysis Summary
# Threat Actor: APT37 (Ruby Jumper Campaign)
## Attribution & Identity
North Korean state-backed threat group.
**Known Aliases:** ScarCruft, Ricochet Chollima, InkySquid.
## Activity Summary
The analyzed campaign is named **Ruby Jumper**. This recent activity involves deploying a new toolkit to breach air-gapped networks. The actor uses removable drives as a physical relay for data exfiltration and command delivery between internet-connected and physically isolated systems, alongside conducting covert surveillance. The decoy document observed suggests an interest in North Korean media narratives, aligning with historical victim profiles for this group.
## Tactics, Techniques & Procedures
- **Initial Access:** Infection chain starts via opening a malicious Windows shortcut file (.LNK).
- **Payload Delivery:** The LNK file deploys a PowerShell script to extract embedded payloads and launches a decoy document (Arabic translation of a North Korean newspaper article about the Palestine-Israel conflict).
- **Malware Staging/Persistence:**
- RESTLEAF (implant) communicates with C2 via Zoho WorkDrive to fetch encrypted shellcode.
- SNAKEDROPPER (Ruby-based loader) is downloaded, which subsequently installs the Ruby 3.3.0 runtime environment disguised as _usbspeed.exe_.
- Persistence is established via a scheduled task (`_rubyupdatecheck_`) that runs every five minutes, modifying the RubyGems default file (`operating_system.rb`) to automatically execute a malicious version upon interpreter start.
- **Air-Gap Bridging:** THUMBSBD creates hidden directories on detected USB drives and copies files to them, turning removable media into a "bidirectional covert C2 relay" to bridge air-gapped segments.
- **Lateral Movement (Air-Gapped):** VIRUSTASK weaponizes removable drives by hiding legitimate files and replacing them with malicious shortcuts that execute the Ruby interpreter when opened (only if the removable media has $\geq 2$ GB free space).
- **Surveillance/Data Collection:** THUMBSBD collects system information and stages command files.
- **Specific Malware Functions:** FOOTWINE (spyware backdoor) supports keylogging, screenshot capture, audio/video recording, file manipulation, registry access, and remote shell commands.
## Targeting
- **Sectors:** Critical infrastructure, military, and research sectors (implied by focus on air-gapped environments).
- **Geography:** Not specified, but the decoy document mentioned the Palestine-Israel conflict.
- **Victims:** No specific victims were named in the report.
## Tools & Infrastructure
- **Malware Families:**
- **RESTLEAF:** Implant utilizing Zoho WorkDrive for C2 communication.
- **SNAKEDROPPER:** Ruby-based loader.
- **THUMBSBD:** Backdoor responsible for USB manipulation and staging.
- **VIRUSTASK:** Malware module for spreading infection onto air-gapped systems via removable media.
- **FOOTWINE:** Windows spyware backdoor (disguised as an APK).
- **BLUELIGHT:** Previously associated full-fledged backdoor observed in this toolkit.
- **Infrastructure:** C2 communication utilizing Zoho WorkDrive. (No explicit URLs/IPs defanged in the text.)
## Implications
APT37 is actively developing and deploying sophisticated malware (RESTLEAF, SNAKEDROPPER, etc.) specifically designed to circumvent physical security controls by utilizing removable storage devices. This technique directly targets highly sensitive, air-gapped environments, posing a significant threat to entities handling classified or proprietary information in sectors like defense and critical infrastructure. The use of a native runtime environment (Ruby) adds a layer of obfuscation.
## Mitigations
- Strict policies and monitoring regarding the use of removable media in air-gapped environments.
- Comprehensive antivirus/EDR scanning and behavioral monitoring of all removable media before connection to air-gapped systems.
- Monitoring for unusual process execution, especially PowerShell scripts launched from shortcuts, or the installation/execution of non-standard runtimes (like Ruby) on secured systems.
- Detection of scheduled tasks establishing persistence related to system utilities, such as `_rubyupdatecheck_`.