# Uncovering the Ruby Jumper Campaign: APT37's Latest Malicious Toolkit Expansion
In a recent discovery by Zscaler ThreatLabz, a sophisticated cyber espionage group linked to North Korea has been observed deploying a new malicious campaign using removable media infection tools to gain access to air-gapped systems. The group, known as APT37, also operates under other aliases such as ScarCruft, Ruby Sleet, InkySquid, Ricochet Chollima and Velvet Chollima, making it one of the most well-known hacking teams active since at least 2012.
Initially focused on the public and private sectors in South Korea, APT37 expanded its operations in 2017 to include Japan, Vietnam and the Middle East, as well as a wider range of industry verticals. This new campaign, dubbed 'Ruby Jumper,' showcases the group's continued evolution and sophistication in breaching even the most secure systems.
The Ruby Jumper campaign utilizes a set of six malicious tools throughout the attack lifecycle, five of which had never been documented before. It leverages removable media to infect and pass commands and information between air-gapped systems, demonstrating a high level of adaptability and persistence.
## Exploiting Windows Shortcuts
APT37 gained access using their traditional method: abusing Windows shortcuts (LNK) files. When a victim opens a malicious LNK file, it launches a PowerShell command and scans the current directory to locate itself based on file size. The PowerShell script then carves multiple embedded payloads from fixed offsets within that LNK, including a decoy document, an executable payload, another PowerShell script, and a batch file.
This document displays an article about the Palestine-Israel conflict, translated from a North Korean newspaper into Arabic. The executable payload is a newly discovered implant, dubbed Restleaf by the ThreatLabz team, which uses Zoho WorkDrive for command-and-control (C2) communications to fetch additional payloads.
## Restleaf: A New APT37 Implant
RestLeaf profiles the compromised system and establishes persistence before retrieving follow-on components from Zoho WorkDrive. Among these is SnakeDropper, a loader responsible for decrypting and deploying additional modules in memory, reducing on-disk artefacts.
To extend access beyond the initially infected host, APT37 deploys ThumbSBD, a tool specifically designed to propagate via removable media. ThumbSBD monitors for connected USB drives, copies a tailored infection package onto them, and abuses shortcut files to ensure execution when the drive is opened on another system.
## Propagation via Removable Media
This enables lateral movement into isolated or segmented environments. When a USB device reaches an air-gapped machine, the infection chain resumes. VirusTask executes as a lightweight backdoor, collecting system information and staging data for exfiltration.
Because the system lacks direct internet access, APT37 again relies on removable media: stolen data is written back to the USB drive in hidden or obfuscated form. The operators also deploy FootWine, a reconnaissance and collection utility focused on harvesting documents and monitoring removable drive activity, ensuring valuable data is queued for extraction.
## Supporting Components
Supporting these newer components is BlueLight, a previously documented APT37 tool used for command execution and data theft. In connected environments, BlueLight communicates with external C2 infrastructure. In air-gapped scenarios, it facilitates tasking and data staging for delayed exfiltration via USB.
In conclusion, the Ruby Jumper campaign highlights the continued evolution of APT37's tactics, techniques, and procedures (TTPs). The use of removable media infection tools to breach air-gapped systems demonstrates a high level of sophistication and adaptability. As security professionals, it is essential to stay informed about emerging threats like this one and take proactive measures to protect our systems and data from such malicious activities.
**Keywords:** APT37, Ruby Jumper, North Korea, cyber espionage, air-gapped networks, removable media, malware, vulnerability, hacking, cybersecurity, threat intelligence.