{
  "name": "Analysis of malicious HWP cases of 'APT37' group distributed through K messenger",
  "slug": "analysis-of-malicious-hwp-cases-of-apt37-group-distributed-through-k-messenger",
  "description": "The report details a sophisticated APT attack targeting South Korea, utilizing spear-phishing techniques and malicious HWP files distributed through a popular Korean messenger service. The APT37 group exploited trust-based tactics, using compromised accounts to spread malware through group chats. The malicious files contained OLE objects that executed PowerShell commands and shellcode, ultimately deploying the RoKRAT malware. This file-less attack method allowed for information gathering and potential remote control of infected systems. The attackers used pCloud for data exfiltration and command-and-control communication. The report emphasizes the importance of endpoint detection and response (EDR) systems to combat such evolving threats.",
  "published": "2025-02-05T15:10:16+00:00",
  "created_at": "2025-02-05T15:10:16+00:00",
  "modified_at": "2025-02-05T20:48:21+00:00",
  "created_at_opencti": "2025-02-05T15:10:16+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-02-05",
    "file-less",
    "hwp",
    "k messenger",
    "ole",
    "pcloud",
    "powershell",
    "rokrat",
    "spear-phishing"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "5909d4bf-f496-4f4d-8ff1-6098ae5190c7",
        "name": "RokRAT",
        "slug": "rokrat"
      }
    ],
    "intrusion_sets": [
      {
        "id": "950aa317-d079-47cd-913e-10433cf55ecc",
        "name": "APT37",
        "slug": "apt37"
      }
    ],
    "attack_patterns": [
      {
        "id": "2ccc4626-0e86-4148-a5a8-2aa270e22dbd",
        "name": "T1588.001"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "232fbdfa-94c6-443d-b575-373e75b4f4c2",
        "name": "T1567"
      },
      {
        "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e",
        "name": "T1071"
      },
      {
        "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d",
        "name": "T1102"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      }
    ]
  },
  "external_refs": [
    "https://www.genians.co.kr/blog/threat_intelligence/k-messenger",
    "https://otx.alienvault.com/pulse/67a38d686710526e35f1ff4d"
  ]
}