APT37 Deploys SHROUDEDVUE Malware to Target Air-Gapped Networks

North Korean state-sponsored threat group APT37, also known as ScarCruft, RedEyes, or Reaper, has refined its toolkit to specifically target air-gapped networks. According to BleepingComputer, the group is now employing a specialized malware suite designed to bypass the physical isolation of high-security environments. This campaign represents a significant escalation in the group’s technical capabilities, moving beyond traditional phishing to complex, multi-stage attacks involving removable media.

The primary components of this new operation include malware families dubbed SHROUDEDVUE, WASHSYNC, and WIDESTEP. These tools work in tandem to facilitate data exfiltration from systems that lack a direct connection to the internet. The process typically begins with the infection of an internet-connected host, which then poisons any connected USB drives. When these drives are subsequently used on air-gapped machines, the malware executes, harvests sensitive data, and hides it within the drive’s hidden sectors or specific file structures to be retrieved later when the drive is reconnected to an internet-connected system.

Technical Analysis of the Attack Chain

The infection vector often utilizes malicious LNK files or compiled HTML help files (CHM) delivered via spear-phishing. Once a foothold is established on an internet-facing workstation, the actor deploys components that monitor for the insertion of removable storage devices.

SHROUDEDVUE: The Core Exfiltration Engine

SHROUDEDVUE is the primary tool responsible for identifying and stealing documents from the air-gapped target. It is programmed to scan local directories for specific file extensions related to government reports, military documents, and strategic communications. Unlike standard malware that attempts immediate network communication, SHROUDEDVUE stores captured data in a hidden archive on the USB drive. This “dead drop” approach ensures that the malware remains silent until the physical medium is moved back to a compromised host with internet access.

WASHSYNC and WIDESTEP Mechanisms

WASHSYNC serves as the bridge between the two environments. On the internet-connected side, it handles the upload of stolen data to actor-controlled infrastructure and the preparation of the USB drive for the next air-gap jump. WIDESTEP acts as a secondary loader, ensuring the persistence of the malware across reboots and providing a mechanism for updating the malicious components when the USB drive returns to an infected host. These tools demonstrate a high level of coordination, as they must account for the asynchronous nature of air-gap traversal.

Strategic Implications and Attribution

APT37 has historically focused its efforts on South Korean government entities, non-governmental organizations (NGOs), and defectors. The adoption of air-gap jumping techniques indicates that the group is pursuing higher-value intelligence typically stored on isolated networks, such as cryptographic keys, strategic defense plans, or proprietary research. This shift suggests a more patient and resourceful adversary that is willing to wait for physical movement—the “human bridge”—to complete its objective. The use of specialized malware to bridge the gap between IT and OT or secure enclaves is a hallmark of sophisticated nation-state operations.

Defensive Recommendations

Defending against air-gap jumping malware requires a combination of physical security, policy enforcement, and host-based monitoring.

• Strict USB Policy Enforcement: Implement technical controls to block unauthorized removable media. If USB usage is necessary, utilize “sheep dip” stations to scan drives in an isolated environment before they are introduced to sensitive networks.
• Monitor for LNK and CHM Anomalies: Threat hunters should look for unusual parent-child process relationships, such as hh.exe (HTML Help) or explorer.exe launching suspicious scripts from removable drives.
• Host-Based Integrity Monitoring: Deploy File Integrity Monitoring (FIM) on air-gapped systems to detect the unauthorized creation of hidden directories or large, encrypted archives that may serve as staging areas for exfiltration.
• Air-Gap Integrity Checks: Regularly audit isolated systems for unauthorized hardware modifications or the presence of non-standard drivers that may indicate a successful breach via physical media.