The North Korean APT37 hacking group has been employing a wide range of tools in its attacks, and they often rely on malware that is supposed to pave the way for more high-profile cyber-threats – such is the case with GELCAPSULE, a Trojan downloader that attempts to evade anti-virus software and sandbox environments, and deploys a second-stage payload to compromised computers. In past campaigns, the GELCAPSULE Downloader has been used to deliver the SLOWDRIFT malware to victims in South Korea. The first traces of GELCAPSULE's activities date to June 2016, and the threat was employed in several attacks against high-profile targets in South Korea.
The GELCAPSULE Downloader - Another Tool that APT37 Uses against South Korean Targets
It is not a surprise that South Korea is the primary region that APT37's attacks target – after all, this is the place that most North Korean hackers focus on. The GELCAPSULE Trojan downloader was delivered via bogus email attachments that were accompanied by a carefully tailored message – the topics used in these fake messages are often regarding relevant news events from the region.
While analyzing the systems infected by the GELCAPSULE Trojan downloader, malware experts were able to identify the secondary payloads that the APT37 group uses in combination with this downloader – ZUMKONG, POORAIM and KARAE. These malware families are usually responsible for the following types of attacks:
- ZUMKONG – An infostealer that extracts saved credentials from Internet Explorer and Google Chrome.
- POORAIM – A backdoor Trojan that receives commands via the outdated AOL Instant Messenger. It enables the attackers to download and execute files, collect data, browse files, capture the screen, etc.
- KARAE – A basic backdoor Trojan that appears to be used as a reconnaissance tool. It also has the ability to deploy a secondary payload at a later stage.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to GELCAPSULE may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.