North Korea Hiding Malware Within JPEG Files to Attack Windows Systems Bypassing Detections

Security researchers at Genians Security Center have made a significant discovery regarding a new variant of the RoKRAT malware, which is linked to the North Korean APT37 threat group. This sophisticated malware employs steganography, a technique that allows it to conceal malicious payloads within seemingly harmless JPEG image files.

This innovative approach enables the malware to bypass traditional antivirus detection methods by embedding encrypted shellcode within the image data. Once the image is processed, the shellcode is decoded and executed directly in memory, making it particularly challenging to detect.

The distribution of this malware typically occurs through malicious shortcut (.LNK) files hidden within ZIP archives. An example includes a file disguised as “National Intelligence and Counterintelligence Manuscript.zip.” The attack chain often begins with oversized LNK files, sometimes exceeding 50MB, which contain decoy documents alongside encoded components such as shellcode (ttf01.dat), PowerShell scripts (ttf02.dat), and batch files (ttf03.bat).

APT37’s Evolving RoKRAT Variant

Upon execution, the batch script triggers PowerShell to perform an XOR decryption using a single-byte key (0x33). This process reveals a 32-bit shellcode block that subsequently injects additional payloads into legitimate Windows processes. The two-stage encrypted shellcode injection method complicates reverse engineering efforts, as the initial XOR operation at offset 0x590 employs a key like 0xAE, transforming the data into an executable that references PDB paths such as “D:WorkUtilInjectShellcodeReleaseInjectShellcode.pdb.”

The malware allocates virtual memory in processes such as mspaint.exe or notepad.exe from the SysWOW64 directory, writing decrypted data blocks (e.g., 892,928 bytes) and applying additional XOR routines with keys like 0xD6 to reveal the core RoKRAT module. This fileless approach minimizes disk footprints, complicating forensic analysis. Moreover, the malware’s timestamp (e.g., 2025-04-21 00:39:59 UTC) and unique strings like “–wwjaughalvncjwiajs–” further confirm its association with APT37’s toolkit.

Cloud-Based C2 Channels

In a notable advancement, APT37 has integrated steganography by embedding RoKRAT loaders within JPEG files, such as “Father.jpg,” which can be downloaded from cloud services like Dropbox. Malicious DLLs, including mpr.dll and credui.dll, are side-loaded via legitimate executables embedded in HWP documents.

The JPEG resource, identified as “MYIMAGEFILE,” begins with a valid Exif header but conceals shellcode at offset 0x4201 after an XOR operation with key 0xAA. A subsequent XOR using 0x29 extracts the RoKRAT payload, facilitating seamless in-memory execution that bypasses endpoint protections.

Functionally, RoKRAT is designed to collect system information, documents, and screenshots, exfiltrating this data via compromised cloud APIs such as api.pcloud.com, cloud-api.yandex.net, and api.dropboxapi.com, utilizing revoked access tokens like “hFkFeKn8jJIAAAAAAAAAAZr14zutJmQzoOx-g5k9SV9vy7phb9QiNCIEO7SAp1Ch.” The command and control (C2) accounts associated with this malware are linked to emails such as “nusli.vakil@yandex.com” and “leon24609@gmail.com,” indicating a pattern of Russian email services and potential connections to LinkedIn, reminiscent of previous APT37 operations.

Variants emerging from July 2025, including one disguised as “Academy Operation for Successful Resettlement of North Korean Defectors in South Korea.lnk,” have shifted to notepad.exe injection and reference PDB paths under “D:WorkWeapon,” suggesting ongoing refinement of their tools.

To counter these evolving threats, the implementation of efficient Endpoint Detection and Response (EDR) solutions is essential. These systems provide real-time monitoring of abnormal behaviors, such as process injections, script executions, and outbound cloud connections. EDR visualization aids in mapping attack flows, from LNK execution to C2 exfiltration, enabling rapid isolation and classification of threats under MITRE ATT&CK frameworks.

As RoKRAT continues to evade signature-based defenses through its fileless tactics and steganography, organizations must prioritize EDR solutions for proactive threat hunting, underscoring the increasing sophistication of state-sponsored North Korean cyber operations targeting Windows ecosystems in South Korea and beyond.

Indicators of Compromise (IoC)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!