A new cyberattack linked to North Korea has been discovered, and it is quite different from typical hacking methods. The group behind this operation is known as APT37, which is already known for cyber-espionage activities. This time, they are using Facebook as their main entry point. Instead of directly hacking systems, they are first targeting people and gaining their trust. This shows how modern cyberattacks are becoming more human-focused rather than purely technical.
The attack begins with fake Facebook profiles created by the hackers. These profiles are designed to look real, often showing locations like Pyongyang or nearby regions. They send friend requests to selected targets and wait for them to accept. Once connected, they start normal conversations to build trust over time. This step is very important because it makes the victim feel comfortable and lowers any suspicion.
As the conversation continues, the attackers slowly guide it toward more serious topics. In some cases, they even move the chat from Facebook Messenger to other platforms like Telegram. This shift makes the interaction feel more private and secure to the victim. By this stage, the victim usually trusts the attacker completely. This is a classic example of social engineering, where manipulation is used instead of direct hacking.
After gaining trust, the attackers send a file to the victim. They claim it contains important or sensitive information, sometimes even mentioning military-related documents. However, they also say that the file requires a special PDF viewer to open. This is where the actual attack begins. The victim is convinced to download and install the software without realizing the risk.
The PDF viewer is actually a modified version of Wondershare PDFelement, which is a legitimate application. It works normally on the surface, so nothing seems suspicious to the user. But in the background, it secretly runs malicious code. This hidden activity allows the attackers to start their operation without being detected. Using real software in this way makes the attack much more convincing and dangerous.
Once installed, the malware operates in multiple stages to avoid detection. First, it runs normally while executing hidden code in the background. Then it injects itself into trusted system processes, making it harder to detect. After that, additional files are downloaded, sometimes disguised as simple image files like JPGs. Finally, the main malware called RokRAT is fully deployed on the system.
RokRAT is a powerful remote access tool that gives attackers control over the infected device. It can capture screenshots, run commands, collect system data, and steal important files. The victim may not even realize that their system is compromised. It is designed to stay hidden and continue working in the background. This makes it a serious threat, especially for sensitive targets.
Overall, this campaign highlights how cyberattacks are evolving with time. Instead of just exploiting technical weaknesses, attackers are now targeting human behavior. The use of social media platforms like Facebook makes the attack more effective and harder to detect. Even though the malware itself is not new, the delivery method is becoming more advanced. This is a reminder to stay cautious while interacting online and avoid trusting unknown sources too easily.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
