APT37 is a suspected North Korean cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, Northern Korean Human Rights, and Evil New Year 2018. [1] [2] [3]

North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.[4] Some organizations track North Korean clusters or groups such as Bluenoroff,[5], APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.

ID: G0067
Contributors: Valerii Marchuk, Cybersecurity Help s.r.o.

Version: 1.1

Associated Group Descriptions

ScarCruft[2] [1]

Techniques Used

EnterpriseT1123Audio CaptureAPT37 has used an audio capturing utility known as SOUNDWAVE that captures microphone input.[1]
EnterpriseT1116Code SigningAPT37 has signed its malware with an invalid digital certificates listed as “Tencent Technology (Shenzhen) Company Limited.”[2]
EnterpriseT1059Command-Line InterfaceAPT37 has used the command-line interface.[1][3]
EnterpriseT1043Commonly Used PortAPT37 has used port 8080 for C2.[2]
EnterpriseT1003Credential DumpingAPT37 has used a credential stealer known as ZUMKONG that can harvest usernames and passwords stored in browsers.[1]
EnterpriseT1094Custom Command and Control ProtocolAPT37 credential stealer ZUMKONG emails credentials from the victim using HTTP POST requests.[1]
EnterpriseT1005Data from Local SystemAPT37 has collected data from victims' local systems.[1]
EnterpriseT1487Disk Structure WipeAPT37 has access to destructive malware that is capable of overwriting a machine's Master Boot Record (MBR).[1][3]
EnterpriseT1189Drive-by CompromiseAPT37 has used strategic web compromises, particularly of South Korean websites, to distribute malware. The group has also used torrent file-sharing sites to more indiscriminately disseminate malware to victims. As part of their compromises, the group has used a Javascript based profiler called RICECURRY to profile a victim's web browser and deliver malicious code accordingly.[2][1]
EnterpriseT1173Dynamic Data ExchangeAPT37 has used Windows DDE for execution of commands and a malicious VBS.[2]
EnterpriseT1106Execution through APIAPT37 leverages the Windows API calls: VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread() for process injection.[3]
EnterpriseT1203Exploitation for Client ExecutionAPT37 has used Flash Player (CVE-2016-4117, CVE-2018-4878) and Word (CVE-2017-0199) exploits for execution.[2][1][3]
EnterpriseT1027Obfuscated Files or InformationAPT37 sends images to users that are embedded with shellcode and obfuscates strings and payloads.[3]
EnterpriseT1057Process DiscoveryAPT37's Freenki malware lists running processes using the Microsoft Windows API.[3]
EnterpriseT1055Process InjectionAPT37 injects its malware variant, ROKRAT, into the cmd.exe process.[3]
EnterpriseT1060Registry Run Keys / Startup FolderAPT37's has added persistence via the Registry key HKCU\Software\Microsoft\CurrentVersion\Run\.[1][3]
EnterpriseT1105Remote File CopyAPT37 has downloaded second stage malware from compromised websites.[1]
EnterpriseT1064ScriptingAPT37 executes shellcode and a script to decode Base64 strings.[3]
EnterpriseT1193Spearphishing AttachmentAPT37 delivers malware using spearphishing emails with malicious HWP attachments.[1][3]
EnterpriseT1071Standard Application Layer ProtocolAPT37 uses HTTPS to conceal C2 communications.[3]
EnterpriseT1082System Information DiscoveryAPT37 collects the computer name, the BIOS model, and execution path.[3]
EnterpriseT1033System Owner/User DiscoveryAPT37 identifies the victim username.[3]
EnterpriseT1204User ExecutionAPT37 has sent spearphishing attachments attempting to get a user to open them.[1]
EnterpriseT1102Web ServiceAPT37 leverages social networking sites and cloud platforms (AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, and Box) for C2.[1][3]


S0212CORALDECK[1]Data Compressed, Data Encrypted, File and Directory Discovery, Standard Application Layer Protocol
S0213DOGCALL[1][6]Audio Capture, Input Capture, Obfuscated Files or Information, Remote File Copy, Screen Capture, Web Service
S0355Final1stspy[6]Deobfuscate/Decode Files or Information, Obfuscated Files or Information, Process Discovery, Registry Run Keys / Startup Folder, Standard Application Layer Protocol, System Information Discovery
S0214HAPPYWORK[1]Remote File Copy, System Information Discovery, System Owner/User Discovery
S0215KARAE[1]Drive-by Compromise, Remote File Copy, System Information Discovery, Web Service

NavRAT is linked to APT37 with medium confidence.

Command-Line Interface, Data Staged, Input Capture, Process Discovery, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Scripting, Standard Application Layer Protocol, System Information Discovery
S0216POORAIM[1]Drive-by Compromise, File and Directory Discovery, Process Discovery, Screen Capture, System Information Discovery, Web Service
S0240ROKRAT[3]Credential Dumping, Exfiltration Over Command and Control Channel, Input Capture, Process Discovery, Query Registry, Remote File Copy, Screen Capture, Security Software Discovery, Standard Application Layer Protocol, System Information Discovery, Virtualization/Sandbox Evasion, Web Service
S0217SHUTTERSPEED[1]Remote File Copy, Screen Capture, System Information Discovery
S0218SLOWDRIFT[1]Remote File Copy, System Information Discovery, Web Service
S0219WINERACK[1]Application Window Discovery, Command-Line Interface, File and Directory Discovery, Process Discovery, System Information Discovery, System Owner/User Discovery, System Service Discovery