“Casting Call” for Malware: APT37 Poses as TV Writers to Hack Targets

A notorious threat group is auditioning victims for a new cyber-espionage campaign, masquerading as television production staff to slip malware past defenses. A new report from Genians Security Center details the discovery of the “Artemis” campaign, an operation orchestrated by the APT37 group (also known as Reaper or Ricochet Chollima) that leverages the allure of media fame to compromise systems.

The group, widely believed to be state-sponsored by North Korea, has refined its social engineering tactics. Instead of generic phishing emails, they are now engaging in high-touch, targeted interactions.

The attack begins with a deceptive email. The threat actor impersonates a writer for a Korean TV program, reaching out to specific individuals under the guise of arranging a casting call or an interview.

“The threat actor poses as a writer for Korean TV programs and reaches out to targets for casting or interview arrangements,” the report notes.

To lower the victim’s guard, the attackers use “a short self-introduction and legitimate-looking instructions” to build trust before delivering the payload. The weapon of choice is a malicious HWP (Hangul Word Processor) file—a standard document format in South Korea—disguised as a “pre-interview questionnaire or event guide document”.

Once the victim opens the document and clicks a hyperlink, the trap is sprung. The report explains that the attackers use a “masquerading technique launching a legitimate process first”.

By piggybacking on authorized system processes, the malware aims to bypass traditional antivirus scans. “This multi-stage procedure leverages legitimate execution flow to evade detection by signature-based security solutions”.

Technically, the attack combines the initial execution of an OLE object within the document with DLL side-loading, executing the malicious payload within the context of a trusted application.

Researchers were able to link this campaign to previous activity through a digital breadcrumb trail left in the cloud. The investigation identified a Yandex Cloud login account, “tanessha.samuel,” used to manage the attack infrastructure.

This specific user ID proved to be the smoking gun. “The Yandex Cloud login account used, ‘tanessha.samuel,’ shares the same user ID as the pCloud registration account (tanessha.samuel@gmail.com) identified in Operation Toybox Story”.

Forensic analysis confirmed that accounts on both services were created on the exact same day: October 19, 2023.

“This concurrent account registration strongly indicates that the actor operates multiple cloud infrastructures under a unified identifier, integrating and managing command-and-control (C2) and payload distribution channels”.

The use of Russian (Yandex) and Swiss (pCloud) services appears calculated. The report suggests this is a “strategy of evasion and concealment through geographic and legal jurisdictional separation,” designed to complicate takedown efforts and attribution.

Genians Security Center advises organizations that “Real-time monitoring through an EDR solution is essential for identifying abnormal behavior,” as traditional signature-based tools may fail to catch the subtle execution flow of the Artemis campaign.

Related Posts:

• APT37 Escalates Cyber-Espionage on South Korea: New RoKRAT Backdoor Uses Stealthy LNK Files & Steganography
• ARTEMIS: Real-Time Detection and Automatic Mitigation for Border Gateway Protocol (BGP) Prefix Hijacking
• Kimsuky APT Group Abuses HWP and AnyDesk for Covert Remote Surveillance
• North Korea hacker group APT37 is using zero-day vulnerability to attack Japan, Vietnam and the Middle East countries