GELCAPSULE

The North Korean APT37 hacking group has been employing a wide range of tools in its attacks, and they often rely on malware that is supposed to pave the way for more high-profile cyber-threats – such is the case with GELCAPSULE, a Trojan downloader that attempts to evade anti-virus software and sandbox environments, and deploys a second-stage payload to compromised computers. In past campaigns, the GELCAPSULE Downloader has been used to deliver the SLOWDRIFT malware to victims in South Korea. The first traces of GELCAPSULE's activities date to June 2016, and the threat was employed in several attacks against high-profile targets in South Korea.

The GELCAPSULE Downloader - Another Tool that APT37 Uses against South Korean Targets

It is not a surprise that South Korea is the primary region that APT37's attacks target – after all, this is the place that most North Korean hackers focus on. The GELCAPSULE Trojan downloader was delivered via bogus email attachments that were accompanied by a carefully tailored message – the topics used in these fake messages are often regarding relevant news events from the region.

While analyzing the systems infected by the GELCAPSULE Trojan downloader, malware experts were able to identify the secondary payloads that the APT37 group uses in combination with this downloader – ZUMKONG, POORAIM and KARAE. These malware families are usually responsible for the following types of attacks:

• ZUMKONG – An infostealer that extracts saved credentials from Internet Explorer and Google Chrome.
• POORAIM – A backdoor Trojan that receives commands via the outdated AOL Instant Messenger. It enables the attackers to download and execute files, collect data, browse files, capture the screen, etc.
• KARAE – A basic backdoor Trojan that appears to be used as a reconnaissance tool. It also has the ability to deploy a secondary payload at a later stage.