SLOWDRIFT

High-profile cybercriminals often use a wide variety of tools to collect information about their target and figure out what malware they should use. The APT37 group consists of politically-motivated North Korean hackers whose primary targets reside in South Korea. Although their toolset consists of many infostealers and backdoor Trojans, they also employ a few reconnaissance tools whose purpose is to collect software and hardware information about the victim. This does not only help them determine what malware to use, but it also may tell them what sort of computer they have managed to infiltrate.

The SLOWDRIFT Trojan Downloader is a two-in-one tool that the APT37 group uses. The first thing that this malware does is to collect information about the hardware, software, and computer configuration of the victim – the data is then sent to a legitimate cloud-based service that the attackers use. After this step is complete, they can instruct the SLOWDRIFT downloader to fetch and execute a secondary payload.

SLOWDRIFT is a Two-In-One Reconnaissance Tool and Trojan Downloader

One of the largest campaigns involving the SLOWDRIFT downloader was carried out against high-ranking government and academic personnel in South Korea. The malware was delivered via a corrupted Microsoft Office documents that were sent out alongside phishing emails. The group uses public exploits that allow specially crafted documents to execute arbitrary code on the targeted machine – one way to protect computers from this attack is to ensure that all software suites are up-to-date, as well as to use a reputable anti-virus product. In addition to this, users should know better than to download random email attachments that they received unexpectedly – this is one of the most common social engineering tricks that both low-ranking and high-ranking cyber crooks use to deliver malware.