A new malware that infiltrates Korean users' PCs through emails impersonating the Microsoft (MS) security team has been found. Believed to be the work of a North Korea-linked hacking group, the malware was found to be capable of taking over systems with more than 30 functions, including logging keystrokes and recording microphone audio.
On the 15th, according to Genians, malware believed to be the work of the North Korea-linked hacking group APT37, called "NarwhalRAT," has recently been confirmed to be spreading targeting users in Korea.
The attack begins with a phishing email claiming that an anomaly was detected in which a one-time password (OTP) for an MS account was repeatedly generated. The sender name appears as "Microsoft account team," but the actual sending domain was confirmed not to be an official MS domain.
The email mentions the possibility of account takeover and induces users to check the attached security notice. If the compressed file is extracted, a malicious shortcut (.lnk) file appears that looks like a Hangul document, and running it opens a legitimate security notice while simultaneously installing malware.
Genians named it "NarwhalRAT," using a letter rearrangement that combines "Narwhal" with the fact that, after installation, the malware creates a folder named "naverwhale" inside the PC.
Genians explained that the "naverwhale" folder is interpreted as an attempt to masquerade as the widely used Naver Whale browser in Korea, suggesting that Korean users are the primary target.
The internal code also includes logic that separately handles KakaoTalk-related windows as targets for information collection. By filtering out auxiliary windows to improve the accuracy of collected data, it is analyzed as evidence that the malware was developed with the Korean user environment in mind.
NarwhalRAT can selectively perform more than 30 functions on the attacker's remote command, including logging keystrokes, capturing screens, recording microphone audio, collecting files from USB storage devices, and executing remote commands. It can determine in real time, through screens and key inputs, which programs are being used on the victim's PC and which services are being accessed.
Collected data is not transmitted externally immediately but is temporarily stored in the working directory and then sent in batches. This is interpreted as a way to evade real-time network detection.
Genians analyzed that this attack shows a high similarity in structure and methods to a Python-based backdoor attack case by the North Korea-linked hacking group APT37 disclosed on May last year. The final saver name of the lure document used in the spearphishing was the same, "Lailey," and many aspects matched, including the structure of the malicious shortcut file, the batch file obfuscation method, and persistence via the task scheduler.
Genians said, "Because it could continue to be used in similar variants going forward, behavior-based detection systems should be strengthened along with file-based detection."