NarwhalRAT: новая сложная атака APT37 против Южной Кореи
Malware NarwhalRAT, attributed to the APT37 threat actor, has been used in a sophisticated cyberattack primarily targeting users in South Korea. The campaign relied on targeted phishing, with emails disguised as messages from the Microsoft account team and malicious LNK files that tricked recipients into installing the payload.
How the infection chain worked
According to the report, the attack was built around a multi-stage infection chain designed to evade standard security tools. After opening the LNK file, the victim’s system executed a sequence of PowerShell and Batch commands that helped the malware operate covertly and reduce the likelihood of detection.
- initial access via targeted phishing emails;
- execution of malicious LNK files;
- multi-stage deployment using PowerShell and Batch;
- attempts to bypass traditional security controls.
Dual C2 infrastructure and concealment tactics
One of NarwhalRAT’s notable features is its dual-command-and-control (C2) structure. The malware used both a Korean relay server and the pCloud API as a dead-drop resolver to obscure its true infrastructure and complicate attribution and takedown efforts.
The malware also relied on a dynamically configurable C2 system. Encrypted settings stored in a configuration file allowed attackers to change communication parameters in real time. That file was disguised with a .cat extension to imitate legitimate Windows files, increasing stealth and persistence.
Capabilities of NarwhalRAT
The report indicates that NarwhalRAT was built to collect a broad range of sensitive data and support remote control of infected systems. Its functionality included:
- keylogging;
- screenshot capture;
- data collection from USB devices;
- remote command execution;
- local file storage;
- in-memory execution without traditional file-based traces.
Such an approach allowed the malware to manipulate the system while avoiding the conventional artifacts typically associated with malware activity.
Direct interaction with Windows APIs
Another technically notable element was the use of the ctypes library in Python to interact directly with Windows APIs. This enabled operations such as memory allocation and process manipulation without relying on standard file-based execution paths.
In particular, NarwhalRAT used RWX memory allocation (Read-Write-Execute), a technique commonly associated with advanced malware that aims to evade tools focused primarily on file activity.
Links to APT37 activity
The report draws clear parallels between NarwhalRAT and previously documented APT37 incidents. Similarities were noted in:
- the use of targeted phishing;
- the malware component structure;
- persistence techniques;
- command execution methods.
In essence, NarwhalRAT appears to represent an evolution of APT37’s existing capabilities, with more advanced methods for initial access, detection evasion, and targeted information theft tailored to a specific user demographic.
What organizations should do
Given the sophistication of the campaign, the report recommends that organizations strengthen their defensive posture by improving endpoint detection and response strategies. Security teams should focus not only on traditional indicators of compromise, but also on behavioral patterns that may reveal multi-layered attack chains.
Effective defense requires attention to the behavior of the attack chain, not just to isolated technical indicators.
For organizations with users in South Korea or those exposed to similar phishing campaigns, the findings underline the need for layered detection, careful email filtering, and continuous monitoring for suspicious script execution and memory-based malware activity.
Отчет получен из сервиса CTT Report Hub. Права на отчет принадлежат его владельцу.
Ознакомиться подробнее с отчетом можно по ссылке.
