APT37
APT37 is a suspected North Korean cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, Northern Korean Human Rights, and Evil New Year 2018. [1] [2] [3]
ID: G0067
Aliases: ScarCruft, APT37, Reaper, Group123, TEMP.Reaper
Contributors: Valerii Marchuk, Cybersecurity Help s.r.o.Version: 1.0
Alias Descriptions
Name | Description |
---|---|
ScarCruft | [2] [1] |
APT37 | [1] |
Reaper | [1] |
Group123 | [1] |
TEMP.Reaper | [1] |
Techniques Used
Domain | ID | Name | Use |
---|---|---|---|
Enterprise | T1123 | Audio Capture | APT37 has used an audio capturing utility known as SOUNDWAVE that captures microphone input.[1] |
Enterprise | T1116 | Code Signing | APT37 has signed its malware with an invalid digital certificates listed as “Tencent Technology (Shenzhen) Company Limited.”[2] |
Enterprise | T1059 | Command-Line Interface | APT37 has used the command-line interface.[1][3] |
Enterprise | T1043 | Commonly Used Port | APT37 has used port 8080 for C2.[2] |
Enterprise | T1003 | Credential Dumping | APT37 has used a credential stealer known as ZUMKONG that can harvest usernames and passwords stored in browsers.[1] |
Enterprise | T1094 | Custom Command and Control Protocol | APT37 credential stealer ZUMKONG emails credentials from the victim using HTTP POST requests.[1] |
Enterprise | T1005 | Data from Local System | APT37 has collected data from victims' local systems.[1] |
Enterprise | T1189 | Drive-by Compromise | APT37 has used strategic web compromises, particularly of South Korean websites, to distribute malware. The group has also used torrent file-sharing sites to more indiscriminately disseminate malware to victims. As part of their compromises, the group has used a Javascript based profiler called RICECURRY to profile a victim's web browser and deliver malicious code accordingly.[2][1] |
Enterprise | T1173 | Dynamic Data Exchange | APT37 has used Windows DDE for execution of commands and a malicious VBS.[2] |
Enterprise | T1106 | Execution through API | APT37 leverages the Windows API calls: VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread() for process injection.[3] |
Enterprise | T1203 | Exploitation for Client Execution | APT37 has used Flash Player (CVE-2016-4117, CVE-2018-4878) and Word (CVE-2017-0199) exploits for execution.[2][1][3] |
Enterprise | T1107 | File Deletion | APT37 has access to destructive malware that is capable of overwriting a machine's Master Boot Record (MBR).[1][3] |
Enterprise | T1027 | Obfuscated Files or Information | APT37 sends images to users that are embedded with shellcode and obfuscates strings and payloads.[3] |
Enterprise | T1057 | Process Discovery | APT37's Freenki malware lists running processes using the Microsoft Windows API.[3] |
Enterprise | T1055 | Process Injection | APT37 injects its malware variant, ROKRAT, into the cmd.exe process.[3] |
Enterprise | T1060 | Registry Run Keys / Startup Folder | APT37's has added persistence via the Registry key HKCU\Software\Microsoft\CurrentVersion\Run\ .[1][3] |
Enterprise | T1105 | Remote File Copy | APT37 has downloaded second stage malware from compromised websites.[1] |
Enterprise | T1064 | Scripting | APT37 executes shellcode and a script to decode Base64 strings.[3] |
Enterprise | T1193 | Spearphishing Attachment | APT37 delivers malware using spearphishing emails with malicious HWP attachments.[1][3] |
Enterprise | T1071 | Standard Application Layer Protocol | APT37 uses HTTPS to conceal C2 communications.[3] |
Enterprise | T1082 | System Information Discovery | APT37 collects the computer name, the BIOS model, and execution path.[3] |
Enterprise | T1033 | System Owner/User Discovery | APT37 identifies the victim username.[3] |
Enterprise | T1204 | User Execution | APT37 has sent spearphishing attachments attempting to get a user to open them.[1] |
Enterprise | T1102 | Web Service | APT37 leverages social networking sites and cloud platforms (AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, and Box) for C2.[1][3] |