North Korean hackers have deployed a sophisticated toolkit designed to bridge the gap between internet-connected and physically isolated systems via removable drives. Attributed to the state-backed group APT37, this campaign uses a series of specialized Ruby-based tools to conduct covert surveillance and move data across air-gapped environments.
The Ruby Jumper campaign, attributed to the North Korean threat group APT37, targets air-gapped systems which are physically disconnected from the internet for security. These environments, common in military and critical infrastructure sectors, are breached when the group uses removable storage devices as a covert relay for commands and data. By exploiting the physical transfer of files, the attackers can reach isolated hardware that would otherwise be inaccessible through traditional network-based intrusion methods.
The infection process starts with a malicious shortcut file that executes a PowerShell script while displaying a decoy document concerning the Palestine-Israel conflict to mask the intrusion. This script deploys a preliminary implant called RESTLEAF, which establishes communication with the attackers' infrastructure through Zoho WorkDrive. This initial foothold allows the hackers to download more advanced payloads and prepare the target system for the installation of the broader toolkit.
To maintain a persistent presence, the attackers install a full Ruby programming environment disguised as a legitimate USB utility. A specific loader known as SNAKEDROPPER modifies the RubyGems infrastructure to ensure that malicious code runs automatically every five minutes via scheduled tasks. This level of integration into the system’s runtime environment makes the malware difficult to detect and provides a stable platform for the group’s subsequent surveillance activities.
The toolkit includes specialized components like THUMBSBD and VIRUSTASK, which handle the heavy lifting of data collection and exfiltration. THUMBSBD is particularly significant because it creates hidden directories on any detected USB drives to store stolen information and stage incoming commands. This effectively turns every removable drive plugged into the machine into a bidirectional bridge, allowing the hackers to leapfrog over air gaps and move files between secure and non-secure zones.
By leveraging these five distinct malicious tools, APT37 has demonstrated a high level of technical proficiency in bypassing modern security perimeters. The ability to automate the infection of removable media ensures that even the most isolated research or military networks remain vulnerable to data theft. This campaign highlights a persistent and creative effort by North Korean state actors to refine their surveillance capabilities against high-value targets worldwide.
Source: APT37 Deploys New Malware To Breach Air-Gapped Networks