North Korean hackers are deploying newly uncovered tools to move data between internet-connected and air-gapped systems, spread via removable drives, and conduct covert surveillance.

The malicious campaign has been named Ruby Jumper and is attributed to the state-backed group APT37, also known as ScarCruft, Ricochet Chollima, and InkySquid.

Air-gapped computers are disconnected from external networks, especially the public internet. Physical isolation is achieved at the hardware level by removing all connectivity (Wi-Fi, Bluetooth, Ethernet), while logical segregation relies on various software-defined controls, like VLANs and firewalls.

In a physical air-gap environment, typical in critical infrastructure, military, and research sectors, data transfer is done through removable storage drives.

Researchers at cloud security company Zscaler analyzed the malware employed in APT37's Ruby Jumper campaign and identified a toolkit of five malicious tools: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE.

Bridging the air gap

The infection chain begins when the victim opens a malicious Windows shortcut file (LNK), which deploys a PowerShell script that extracts payloads embedded in the LNK file. To divert attention, the script also launches a decoy document.

Although the researchers did not specify any victims, they note that the document is an Arabic translation of a North Korean newspaper article about the Palestine-Israel conflict.

The PowerShell script loads the first malware component, called RESTLEAF, an implant that communicates with APT37's command-and-control (C2) infrastructure using Zoho WorkDrive.

RESTLEAF fetches encrypted shellcode from the C2 to download the next-stage payload, a Ruby-based loader named SNAKEDROPPER.

The attack continues with installing the Ruby 3.3.0 runtime environment - complete with the interpreter, standard libraries, and gem infrastructure - disguised as a legitimate USB-related utility named usbspeed.exe.

"SNAKEDROPPER is primed for execution by replacing the RubyGems default file operating_system.rb with a maliciously modified version that is automatically loaded when the Ruby interpreter starts," via a scheduled task (rubyupdatecheck) that executes every five minutes, the researchers say.

The THUMBSBD backdoor is downloaded as a Ruby file named ascii.rb, as well as the VIRUSTASK malware as the bundler_index_client.rb file.

The role of THUMBSBD is to collect system information, stage command files, and prepare data for exfiltration. Its most crucial function is to create hidden directories on detected USB drives and copy files to them.

According to the researchers, the malware turns removable storage devices "into a bidirectional covert C2 relay." This allows the threat actor to deliver commands to air-gapped systems as well as extract data from them.

“By leveraging removable media as an intermediary transport layer, the malware bridges otherwise air-gapped network segments,” Zscaler researchers say.

VIRUSTASK's role is to spread the infection to new air-gapped machines, weaponizing removable drives by hiding legitimate files and replacing them with malicious shortcuts that execute the embedded Ruby interpreter when opened.

The module will only trigger an infection process if the inserted removable media has at least 2GB of free space.

Zscaler reports that THUMBSBD also delivers FOOTWINE, a Windows spyware backdoor disguised as an Android package file (APK) that supports keylogging, screenshot capture, audio and video recording, file manipulation, registry access, and remote shell commands.

Another piece of malware also observed in the APT37's RubyJumper campaign is BLUELIGHT, a full-fledged backdoor previously associated with the North Korean threat group.

Zscaler has high confidence attributing the RubyJumper campaign to APT37 based on several indicators, including the use of the BLUELIGHT malware, initial vector relying on LNK files, two-stage shellcode delivery technique, and C2 infrastructure typically observed in attacks from this actor.

The researchers also note that the decoy document indicates that the target of the RubyJumper activity is interested in North Korean media narratives, which aligns with the victim profile of this threat group.