Ruby Jumper: How ScarCruft Breaches Air-Gapped Networks Using Zoho WorkDrive and USBs

The Myth of the Air Gap

For decades, security teams have relied on "air-gapping"—physically isolating sensitive networks from the internet—as the ultimate defense against cyber espionage. The logic is sound: if a computer cannot reach the internet, hackers cannot reach the computer. However, the persistent threat actors backed by nation-states have long ago moved past this barrier.

Recently, the North Korean threat group known as ScarCruft (also tracked as APT37) reminded the industry of this harsh reality. In a campaign dubbed "Ruby Jumper" by Zscaler ThreatLabz, ScarCruft has deployed a sophisticated toolkit designed specifically to jump the air gap using a combination of cloud storage abuse and physical media. By weaponizing Zoho WorkDrive for command-and-control (C2) and using removable USB drives as a bridge, they have demonstrated that no network is truly inaccessible.

Deep Dive: The Ruby Jumper Mechanics

ScarCruft, historically focused on espionage targets in South Korea and elsewhere, continues to refine its toolset. The Ruby Jumper campaign is significant because it attacks the problem of isolation from two directions: the outside looking in, and the inside looking out.

1. Abusing Legitimate Cloud Services (Zoho WorkDrive)

One of the most difficult aspects of attacking an air-gapped network is establishing communication. Traditionally, attackers had to rely on the compromised machine connecting back to a malicious IP address, which is easily detected. In this campaign, ScarCruft utilizes Zoho WorkDrive, a legitimate cloud file management service.

By leveraging a trusted service like Zoho, the attackers bypass many traditional network defenses. Firewalls and proxies usually allow traffic to known productivity suites. The malware uses the WorkDrive API to fetch payloads and receive commands, blending in perfectly with normal administrative traffic. This is a variation of "Living off the Land" (LotL), applied to network infrastructure rather than local binaries.

2. The USB Bridge

While the cloud component handles the internet-facing side of the operation, the air-gapped breach relies on a more analog vector: the USB drive. The implant deployed by ScarCruft is designed to leverage removable media to relay commands.

The likely attack flow follows a "sneakernet" model:

1. An initial compromise occurs on an internet-connected machine (perhaps via a phishing email).
2. The malware downloads instructions from Zoho WorkDrive.
3. When a USB drive is inserted, the malware writes a malicious payload or "jump" file onto it.
4. When that USB is later plugged into the air-gapped, secure network, the payload executes, compromising the isolated environment.

This technique effectively turns the human operator into the data transport protocol, bypassing firewall rules entirely.

Detection and Threat Hunting

Detecting this type of activity requires looking for anomalies in both physical device usage and network traffic patterns to legitimate cloud services.

Hunting for Suspicious USB Activity (PowerShell)

You can audit recent USB device connections to identify unauthorized media. The following PowerShell script retrieves events from the system log related to disk drive connections:

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-DriverFrameworks-UserMode/Operational'; ID=1003, 1004, 1010} | 
Select-Object TimeCreated, Id, Message | 
Format-Table -AutoSize

Monitoring for Malicious Process Execution (KQL)

Attackers often use scripts or binaries executed directly from the USB drive. Use this KQL query in Microsoft Sentinel to hunt for processes originating from removable drives:

DeviceProcessEvents
| where InitiatingProcessFolderPath startswith "\\?\" or InitiatingProcessFolderPath contains ":\\"
| extend DriveLetter = substring(InitiatingProcessFolderPath, 0, 3)
| where ProcessVersionInfoCompanyName != "Microsoft Windows" 
| where isnotempty(InitiatingProcessFolderPath)
| project Timestamp, DeviceName, FileName, InitiatingProcessFolderPath, DriveLetter

Detecting Abnormal Cloud Access (KQL)

Hunting for usage of Zoho WorkDrive by non-standard applications (browsers) can indicate malware C2 activity:

DeviceNetworkEvents
| where RemoteUrl contains "workdrive.zoho" 
| where InitiatingProcessProcessVersionInfoCompanyName != "Microsoft Corporation" 
and InitiatingProcessProcessVersionInfoCompanyName != "Google Inc" 
and InitiatingProcessProcessVersionInfoCompanyName != "Mozilla Corporation"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP

Mitigation Strategies

Defending against "air-jumping" tactics requires a defense-in-depth approach that acknowledges the reality of human error and physical access.

1. Strict USB Policy Enforcement: The most effective mitigation against USB malware is to physically block the threat. Implement Group Policy Objects (GPO) to disable USB mass storage devices for users who do not require them. In high-security environments, use physical USB port locks.

2. Data Loss Prevention (DLP) and CASB: Deploy Cloud Access Security Broker (CASB) solutions to monitor and control access to services like Zoho WorkDrive. Ensure that only authorized, managed applications can authenticate to these services, and monitor for suspicious upload/download volumes.

3. Least Privilege Access: Ensure users on sensitive networks do not have local administrator rights. This prevents malware from installing rootkits or persistent implants if a USB is accidentally inserted.

4. Network Segmentation: Even within air-gapped environments, segment the network. If a USB bridge compromises one workstation, segmentation prevents lateral movement to the most critical servers.

5. Endpoint Detection and Response (EDR): Deploy modern EDR solutions that can detect suspicious behavior, such as unsigned executables running from removable drives or unusual process injection attempts, rather than relying solely on signature-based antivirus.

Conclusion

The Ruby Jumper campaign by ScarCruft is a stark reminder that high-value targets are never truly "off the grid" in the eyes of a determined adversary. By combining the anonymity of legitimate cloud infrastructure with the physical reach of USB media, they have created a versatile tool for bypassing even the most stringent network isolation. Security teams must evolve beyond simple perimeter defenses and adopt rigorous endpoint controls and visibility to close these physical and digital gaps.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub