North Korean state-backed hackers APT37 have developed sophisticated malware tools that can bridge air-gapped networks using removable drives, enabling data exfiltration from isolated systems through a multi-stage Ruby-based attack chain.

APT37's Ruby Jumper Campaign Targets Critical Infrastructure

Security researchers at Zscaler have uncovered a new malware campaign dubbed "Ruby Jumper" attributed to APT37, also known as ScarCruft, Ricochet Chollima, and InkySquid. This North Korean threat group has developed a sophisticated toolkit specifically designed to breach air-gapped networks—systems physically isolated from the internet that are commonly used in critical infrastructure, military installations, and research facilities.

The infection chain begins when victims open a malicious Windows shortcut (LNK) file. This triggers a PowerShell script that extracts embedded payloads while simultaneously launching a decoy document to divert attention. Notably, the decoy document is an Arabic translation of a North Korean newspaper article about the Palestine-Israel conflict, suggesting the attackers are targeting individuals interested in North Korean media narratives.

Five-Piece Malware Toolkit Bridges Air Gaps

Zscaler researchers identified five malicious tools in the Ruby Jumper campaign:

• RESTLEAF: An implant that communicates with APT37's command-and-control infrastructure using Zoho WorkDrive
• SNAKEDROPPER: A Ruby-based loader that prepares the attack environment
• THUMBSBD: A backdoor that creates hidden directories on USB drives for data exfiltration
• VIRUSTASK: Malware that spreads infection to new air-gapped machines
• FOOTWINE: A Windows spyware backdoor disguised as an Android APK

How the Attack Works

The attack leverages a clever multi-stage approach. After the initial PowerShell script deploys RESTLEAF, it fetches encrypted shellcode from the C2 to download SNAKEDROPPER. This component then installs the Ruby 3.3.0 runtime environment disguised as a legitimate USB-related utility named "usbspeed.exe."

"SNAKEDROPPER is primed for execution by replacing the RubyGems default file operating_system.rb with a maliciously modified version that is automatically loaded when the Ruby interpreter starts," the researchers explain. This is achieved through a scheduled task (rubyupdatecheck) that executes every five minutes.

THUMBSBD, downloaded as "ascii.rb," creates hidden directories on detected USB drives and copies files to them. This transforms removable storage devices "into a bidirectional covert C2 relay," allowing the threat actor to deliver commands to air-gapped systems and extract data from them.

VIRUSTASK, delivered as "bundler_index_client.rb," spreads the infection to new air-gapped machines by weaponizing removable drives. It hides legitimate files and replaces them with malicious shortcuts that execute the embedded Ruby interpreter when opened. The module only triggers if the inserted removable media has at least 2GB of free space.

FOOTWINE Spyware and BLUELIGHT Backdoor

THUMBSBD also delivers FOOTWINE, a Windows spyware backdoor disguised as an Android package file (APK). This malware supports keylogging, screenshot capture, audio and video recording, file manipulation, registry access, and remote shell commands.

The researchers also observed BLUELIGHT, a full-fledged backdoor previously associated with North Korean threat groups, in the RubyJumper campaign.

Attribution and Implications

Zscaler has high confidence attributing the RubyJumper campaign to APT37 based on several indicators, including the use of BLUELIGHT malware, initial vector relying on LNK files, two-stage shellcode delivery technique, and C2 infrastructure typically observed in attacks from this actor.

This campaign demonstrates APT37's evolving capabilities in breaching air-gapped networks—a significant concern for organizations that rely on physical isolation as a security measure. By leveraging removable media as an intermediary transport layer, the malware effectively bridges otherwise air-gapped network segments, potentially compromising systems that were considered secure due to their physical isolation.

Organizations with air-gapped systems should implement strict removable media policies, including disabling autorun features, using write-protected media for data transfer, and conducting regular security audits of isolated systems. The use of decoy documents in Arabic also suggests APT37 may be targeting specific geopolitical interests, requiring organizations in relevant regions to be particularly vigilant.

The Ruby Jumper campaign represents a significant advancement in state-sponsored cyber espionage capabilities, demonstrating how determined adversaries can overcome traditional air-gapping defenses through sophisticated multi-stage malware and creative use of legitimate software frameworks like Ruby.