Defending Against APT37: A Proactive Approach to Cyber Threats

In the ever-evolving landscape of cybersecurity, the threat posed by APT37, a North Korean-linked threat group, continues to be a significant concern. Recent campaigns by APT37 have seen the group employ sophisticated spear-phishing tactics, luring unsuspecting users into downloading malicious files. These files often come in the form of oversized Windows shortcuts (.LNK) hidden within archives (ZIP), or Microsoft CHM files used as droppers to deliver RoKRAT malware. Additionally, APT37 has been known to use steganography, concealing malware within innocent-looking JPEG files to bypass antivirus and other security measures.

The Detection Problem

The cybersecurity community has long understood the importance of detection and response as a critical layer in any robust cyber defense architecture. However, the lack of prevention measures can lead to overwhelming alerts and fatigue within the Security Operations Center (SOC), causing unrealistic expectations even when powered by AI-driven tools. This is where a balanced, prevention-first approach becomes crucial. By stopping threats before they even reach the user, organizations can significantly reduce their attack surface and enhance their overall security posture.

The Attack Chain

APT37’s recent campaign illustrates a classic cyber kill chain. The attack begins with a spear-phishing email that delivers an archive (zip) containing an oversized LNK or CHM file, designed to update the user’s machine. When the victim opens the file, scripts or payloads hidden within the LNK or CHM files are launched. The RoKRAT malware is then downloaded via a Cloud API from Box, granting attackers further access and control over the compromised system.

Breaking the Cyber Kill Chain

Step 1: The Malicious Email Attachment — Disarmed by CDR

If a user receives an archive with multiple LNK or CHM files (or any other document) as an attachment, Content Disarm and Reconstruction (CDR) can intercept the email attachment in real time. This seamless backend integration has no impact on the user experience. CDR disarms the email attachment of any malicious scripts and shellcode in just milliseconds. This is achieved through a method of duplication and copy, allowing only legitimate and known-good contents to be delivered. The result is a safe, usable file that retains all the functionality of the original file format, while leaving behind any malicious or unknown risks.

Step 2: Weaponized Image or HTML via Dropbox — Isolated Through The Browser

APT37 has also been known to hide payloads within image files or HTML content hosted on platforms like Dropbox. With Browser Isolation, the content is opened in a cloud-based isolation container. The user sees and interacts with a safe rendering, but no code ever executes on their machine. Even if the user chooses to download the malicious image file, the file is passed to CDR for duplication and copy, breaking the steganography technique. The result is the same quality image without any hidden components or suspicious shell commands. This means the exploit cannot run, and the endpoint remains untouched.

Proactive Protection, Not Reactive Detection

This approach delivers true zero-trust file and web access. Organizations no longer need to constantly update and keep track of new detections of unknown threats, as they simply never get to execute. Users can stay productive, accessing files and web content as usual in the native original file format. Security teams can gain peace of mind, knowing that every download, every click, and every file is sanitized or isolated. SOC and EDR deployment become more effective and efficient without having to deal with false positives and noise.

Why It Matters

As threat actors like APT37 continue to innovate, hiding malware in images, documents, and web content, traditional detection-based tools fall short. Organizations cannot rely on getting updated signatures or waiting for alerts after compromises to respond and contain a breach. With a browser isolation and data security solution, organizations can stop attacks at the source: spear-phishing attachments neutralized, weaponized drive-by downloads contained, and hidden malware in images or archives disarmed. This isn’t just another security layer. It’s a new way to eliminate risk — before it reaches your environment.

Ready to Stop APT37?

APT37 and other nation-state groups are raising the stakes. Organizations cannot afford to wait for alerts after a compromise. Menlo Security delivers zero-trust web and file security, providing a proactive approach to cyber threats. By integrating browser isolation and data security, organizations can significantly enhance their security posture and protect against sophisticated attacks like those launched by APT37.

FAQ

What is APT37?

APT37 is a North Korean-linked threat group known for its sophisticated cyber attacks, including spear-phishing campaigns. The group has been responsible for numerous high-profile breaches and data exfiltration incidents.

What are the recent tactics used by APT37?

Recent tactics used by APT37 include hiding malware within oversized Windows shortcuts (.LNK) hidden within archives (ZIP), or Microsoft CHM files used as droppers to deliver RoKRAT malware. The group has also been known to use steganography, concealing malware within innocent-looking JPEG files to bypass antivirus and other security measures.

What is Content Disarm and Reconstruction (CDR)?

Content Disarm and Reconstruction (CDR) is a security technique that involves intercepting and disarming potentially malicious content, such as email attachments, before it reaches the end user. This is achieved through a method of duplication and copy, allowing only legitimate and known-good contents to be delivered. The result is a safe, usable file that retains all the functionality of the original file format, while leaving behind any malicious or unknown risks.

What is Browser Isolation?

Browser Isolation is a security technique that involves opening web content in a cloud-based isolation container. This allows users to see and interact with a safe rendering of the content, but no code ever executes on their machine. This can help to prevent the execution of malicious payloads hidden within image files or HTML content.

How can organizations protect against APT37 and other sophisticated cyber threats?

Organizations can protect against sophisticated cyber threats like those launched by APT37 by adopting a proactive, prevention-first approach. This includes integrating browser isolation and data security solutions, such as those provided by Menlo Security. By stopping attacks at the source, organizations can significantly enhance their security posture and protect against a wide range of cyber threats.