APT37 NarwhalRAT Malware: A Python Backdoor Threat

Genians Security Center recently confirmed the continued distribution of compiled Python-based malware. This threat targets Korean users heavily. Specifically, the notorious North Korean group APT37 spearheads this malicious campaign. Attackers use sophisticated spear-phishing techniques to infiltrate systems. They disguise their emails as Microsoft account security advisories. Consequently, victims unknowingly download the APT37 NarwhalRAT malware. This Python backdoor then executes directly in the system’s memory. Thus, it evades traditional security defenses effectively.

The MS-Themed Phishing Strategy

The attack begins with a deceptive email. The email body stated that abnormal activity involving repeated generation of one-time passwords had recently been detected in the recipient’s MS account. Attackers describe this issue as a serious security threat. They claim someone is attempting a malicious login. Furthermore, the sender domain appears completely unrelated to Microsoft’s official domains. However, the display name reads “Microsoft Account Team” to trick users.

Therefore, this structure is a social engineering technique designed to make the recipient mistake the email for a legitimate security alert. The message urges users to download an attached advisory. Unfortunately, this attachment is a malicious ZIP archive. Inside, a disguised LNK shortcut file waits for execution. When users click this file, they trigger a complex infection chain.

Multi-Stage Infection and Obfuscation

The initial LNK file uses clever tricks. It obfuscates internal command lines by manipulating environment variables. Next, it bypasses the standard PowerShell execution policy. The script then abuses legitimate Windows binaries. For example, it copies the built-in curl utility to download additional payloads. This tactic minimizes detection during the initial access phase.

Subsequently, the script drops a fake document to distract the user. Simultaneously, a hidden batch file runs in the background. This batch file downloads a legitimate embedded Python package. The attackers use official distribution servers to hide their malicious traffic. Finally, the script installs the actual payload. The malware renames the Python executable to “userscreen.exe” to avoid suspicion.

Deploying the Python Backdoor

The core component is an advanced backdoor. It arrives as a Python bytecode file initially. Later, a much larger “AccountConfig.cat” file appears on the system. Decompilation of the file confirmed that it contains Python-based logic that leads to subsequent malicious activities. The malware uses AES-128 encryption to secure its configuration. Furthermore, it directly calls Windows functions using Python’s ctypes module.

This technique allocates executable memory dynamically. The script copies the decrypted payload directly into this new memory space. As a result, the malware runs without creating a suspicious file on the disk. This fileless execution method effectively bypasses many antivirus solutions. Also, the malware establishes persistence through the Windows Task Scheduler. It mimics a legitimate Microsoft user interface task.

Dead-Drop C2 and Information Stealing

The APT37 NarwhalRAT malware implements a robust control system. The actor operated a dual C2 structure that used a Korean relay server and the pCloud API as a dead-drop Resolver. Essentially, the malware connects to a compromised website first. It retrieves a token from this initial relay. Then, it uses this token to communicate with pCloud. This approach blends malicious traffic with regular cloud service usage. Therefore, it makes detection and blocking more difficult for network defenders.

The malware also collects vast amounts of sensitive data. It performed various information-stealing activities, including keylogging, screen capture, USB data collection, and remote command execution. The backdoor saves this stolen data in a hidden directory. It names this directory “naverwhale” to blend in smoothly. Eventually, the malware uploads this data to the threat actor’s server.

Evading Virtual Environments

Before executing its main payload, the malware checks its surroundings. It performs an Anti-VM function designed to detect virtual environments. If the malware detects a virtual machine, it terminates immediately. This feature prevents automated sandbox analysis from observing its true behavior.

Moreover, the backdoor filters the window information it collects. It actively ignores system background processes and specific messaging windows. This filtering reduces unnecessary noise in the exfiltrated data. Consequently, attackers can focus on valuable information effortlessly. These advanced capabilities demonstrate the sophisticated nature of this espionage tool.

Strengthening Defense Mechanisms

Organizations must stay vigilant against these sophisticated attacks. Threat actors continuously evolve their social engineering tactics. Furthermore, they increasingly adopt fileless execution methods and multi-stage loaders. EDR policies need to be strengthened to detect chained abuse activities based on LNK and PowerShell. Security teams should monitor abnormal memory allocations actively.

In addition, analyzing network traffic for unusual API calls is crucial. To learn more about this threat, you can review the detailed Genians Security Center report for comprehensive indicators of compromise. Security professionals must leverage threat intelligence constantly. Ultimately, proactive monitoring and robust endpoint protection are essential to thwarting the APT37 NarwhalRAT malware.