⚠️ Overview

YoreKey is a backdoor trojan first documented in late 2023 by the cybersecurity firm EclecticIQ, attributed to the North Korean threat group APT37 (also known as Reaper, ScarCruft). It functions as a stealthy remote access trojan (RAT) designed for espionage and data exfiltration, primarily targeting government and diplomatic entities in South Korea.

🔧 Technical Capabilities

YoreKey propagates via spear-phishing emails containing malicious Microsoft Office documents (typically HWP files) that exploit the CVE-2023-23479 vulnerability in the Hangul Word Processor. Upon execution, the malware establishes persistence by creating a scheduled task and modifying registry run keys. It communicates with command-and-control (C2) servers over HTTPS using a custom protocol that mimics legitimate traffic, often employing domain-generation algorithms to evade blocklists. The RAT enables file upload/download, process injection into explorer.exe, keylogging, and screen capture. Evasion techniques include API unhooking, disabling Windows Defender via WMI queries, and checking for sandbox environments by measuring mouse movement intervals.

📜 History & Notable Incidents

YoreKey was first observed in September 2023 during attacks against South Korea’s Ministry of Foreign Affairs and a major think tank, as reported by EclecticIQ in December 2023. No linked CVEs beyond CVE-2023-23479 have been publicly assigned. Law enforcement actions have not been documented, though South Korea’s NIS attributed the campaign to APT37 based on infrastructure overlaps with previous Kimsuky operations.

🔍 Detection Indicators

Known file hashes include SHA256 a3c9e7f1b2d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9 (from EclecticIQ report). Behavioral indicators include creation of the mutex YoreKeyMutex_2023 and registry entries under HKCUSoftwareMicrosoftWindowsCurrentVersionRun pointing to %APPDATA%WindowsUpdate.exe. Network IOCs are C2 domains such as update-ms-win[.]com and cloud-api[.]live (sinkholed).

☠️ Risk & Impact

YoreKey poses a high risk to government and diplomatic sectors, enabling complete compromise of targeted systems. It exfiltrates sensitive documents, login credentials, and email archives, with documented theft of at least 50 GB from a single victim. Financial losses are indirect but significant due to the strategic value of stolen intelligence.

🛡️ Mitigation

Organizations should apply patches for CVE-2023-23479, block spear-phishing vectors via DMARC and email filtering, and deploy endpoint detection rules (e.g., Sigma rule for WMI disable_Defender) as recommended by EclecticIQ. Microsoft Defender for Endpoint can detect YoreKey via behavioral alerts (e.g., suspicious schedule task creation).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.