New APT37 social engineering campaign targets Facebook users

North Korean state-backed threat operationAPT37, also known as ScarCruft, has targeted Facebook users with the RokRAT trojan as part of a new multi-stage social engineering campaign,The Hacker Newsreports.Hackers who created a pair of Facebook accounts set to Pyongyang and Pyongsong issued friend requests in an effort to establish trust before moving to Telegram and later luring targets into downloading a trojanized version of Wondershare PDFelement, a report from the Genians Security Center revealed. Installation and execution of the tampered software runs an encrypted shellcode that enables communications with the website of a Japanese real estate service’s Seoul arm that functions as its command-and-control server, as well as the download of a JPG image that launches RokRAT. Further analysis showed RokRAT to have used Zoho WorkDrive as C2.”Its core functionality has remained relatively stable and has been reused repeatedly across multiple operations over time. This shows that RokRAT has focused less on changing its core functionality and more on evolving its delivery, execution, and evasion chain,” said researchers.