ZUMKONG

APT37 (also known as ScarCruft) is a North Korean cybercrime group that specializes in politically motivated attacks against high-ranking military and government personnel from South Korea. The group has been involved in major cybercrime campaigns that were carried out with the use of a broad range of hacking tools that serve various purposes. One of the notorious parts of APT37's arsenal is ZUMKONG, a piece of info stealing malware that exfiltrates data via the network of mail.zmail.ru – a legitimate mailing service.

The ZUMKONG Infostealer Targets the Internet Explorer and Chrome Browsers

The ZUMKONG has been used against South Korean targets definitely, but it also is possible that the group may have employed it in attacks against Middle Eastern targets. The malware has been used in combination with SLOWDRIFT, a Trojan downloader that also is able to collect system information before sending additional payloads to the target. There is not much information about the exact tricks and techniques that the ZUMKONG infostealer uses. However, it is certain that it is capable of extracting saved login credentials, cookies, and configuration details from Internet Explorer and Google Chrome. The target is unlikely to notice anything out of the ordinary since the ZUMKONG collector is meant to function in a stealthy manner.

The APT37 hacking group relies on fraudulent emails to deliver the first-stage payload to their targets frequently – since they target specific individuals, they usually use carefully selected email topics and bodies to make their messages seem as legitimate as possible. The emails sent out by the attackers may contain a macro-laced document or a corrupted link to a 3rd-party download page.