North Korean APT37 Weaponizes USBs to Infiltrate Air-Gapped Networks

For years, security professionals have considered "air-gapping"—physically isolating a computer from unsecured networks—as the ultimate defense against cyber espionage. However, a recent campaign attributed to the North Korean threat group APT37 (also known as Reaper or ScarCruft) serves as a stark reminder that physical isolation is not a silver bullet.

By leveraging a new strain of malware designed specifically to propagate via removable media, APT37 has successfully demonstrated the ability to bridge the gap between internet-connected systems and highly secure, offline environments. This development necessitates a shift in how we approach perimeter defense and insider threat monitoring.

The Threat Landscape: Breaking the Air Gap

APT37 is a state-sponsored actor with a history of targeting manufacturing, aerospace, and defense sectors. While their initial access vectors typically involve spear-phishing, their latest evolution focuses on lateral movement across physical boundaries.

The mechanics of this attack are sophisticated yet rely on a classic vector: the USB drive. Once a machine within a compromised network is infected, the malware waits for a USB drive to be inserted. It then drops a malicious payload onto the drive, often disguising it as a legitimate folder or file icon to trick a user into clicking it when the drive is later plugged into an air-gapped system.

Once the air-gapped system is compromised, the malware establishes a foothold for surveillance and data exfiltration, eventually moving stolen data back to the USB drive to be transported out to an internet-connected system.

Technical Analysis: TTPs and Attack Vectors

Understanding the Tactics, Techniques, and Procedures (TTPs) of APT37 is critical for detection. The group utilizes a suite of custom malware families, often employing Living off the Land (LotL) techniques to blend in with normal administrative activity.

Key Attack Vectors

1. Initial Compromise: Phishing emails delivering malicious documents or loaders.
2. Bridging the Gap: Using WMI (Windows Management Instrumentation) and PowerShell to detect USB insertion events and write malicious files to removable volumes.
3. Execution on Air-Gapped Hosts: Exploiting the LNK file vulnerability or using DLL side-loading techniques to execute code without triggering standard antivirus warnings, relying on social engineering to get the user to interact with the file on the USB drive.

While specific CVEs may vary depending on the exact malware variant used in specific campaigns, APT37 frequently exploits known vulnerabilities in the Windows OS or third-party software to escalate privileges. However, the primary risk here is not a software flaw, but a procedural vulnerability: the trust placed in removable media.

Detection and Threat Hunting

Detecting this type of activity requires monitoring for anomalous USB interactions and suspicious file behaviors. Below are specific queries and scripts you can use to hunt for indicators of compromise (IoC) associated with this campaign.

KQL for Microsoft Sentinel / Defender 365

The following query looks for processes spawned from a removable drive (DriveType = 2) or specific file creation events on USB devices.

DeviceEvents
| where ActionType in ("FileCreated", "FileRenamed", "FileModified")
| extend DriveType = tostring(parse_(AdditionalFields).DriveType)
| where DriveType == "2" // Removable Drive
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine
| where FileName has @".lnk" or FileName has @".dll" or FileName has @".exe"
| order by Timestamp desc

This query identifies executables or link files written directly to removable media, a common TTP for malware attempting to jump air gaps.

PowerShell Script for USB Forensics

You can use this PowerShell script on endpoints to audit recent USB insertion events and the processes that interacted with them immediately following the mount.

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-DriverFrameworks-UserMode/Operational'; ID=2003, 2004, 2005, 2006} -ErrorAction SilentlyContinue |
Select-Object TimeCreated, Id, Message |
ForEach-Object {
    $event = $_
    if ($event.Id -eq 2003) {
        Write-Host "[$($event.TimeCreated)] USB Device Inserted: $($event.Message)" -ForegroundColor Cyan
    }
    if ($event.Id -eq 2006) {
        Write-Host "[$($event.TimeCreated)] USB Device Ejected: $($event.Message)" -ForegroundColor Yellow
    }
}

Mitigation Strategies

Protecting against USB-borne threats requires a multi-layered approach that combines technical controls with user awareness.

1. Strict USB Policy Enforcement:

   • Implement Group Policy Objects (GPO) that deny write access to removable storage for most user groups.
   • Configure BitLocker To Go to ensure that even if data is stolen, it cannot be read without the decryption key.

2. Endpoint Detection and Response (EDR):

   • Ensure your EDR solution is monitoring for process injection attempts originating from D:, E:, or other removable drive letters.
   • Block execution of LNK and script files from non-local sources.

3. Physical Port Controls:

   • For truly critical air-gapped environments, physically block USB ports using epoxy or port locks.
   • Utilize hardware USB blockers that prevent unauthorized data transmission while still allowing input devices like keyboards.

4. User Education:

   • Train employees to never plug in unknown USB drives found in parking lots or received via mail.
   • Encourage a "see something, say something" culture regarding unauthorized hardware usage.

The APT37 campaign highlights the relentless creativity of nation-state actors. As defenders, we must assume that no perimeter is impenetrable and focus on detecting the lateral movement that signals a breach in progress.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub