APT37 is a suspected North Korean cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, Northern Korean Human Rights, and Evil New Year 2018. [1] [2] [3]

ID: G0067
Aliases: ScarCruft, APT37, Reaper, Group123, TEMP.Reaper
Contributors: Valerii Marchuk, Cybersecurity Help s.r.o.

Version: 1.0

Alias Descriptions

ScarCruft[2] [1]

Techniques Used

EnterpriseT1123Audio CaptureAPT37 has used an audio capturing utility known as SOUNDWAVE that captures microphone input.[1]
EnterpriseT1116Code SigningAPT37 has signed its malware with an invalid digital certificates listed as “Tencent Technology (Shenzhen) Company Limited.”[2]
EnterpriseT1059Command-Line InterfaceAPT37 has used the command-line interface.[1][3]
EnterpriseT1043Commonly Used PortAPT37 has used port 8080 for C2.[2]
EnterpriseT1003Credential DumpingAPT37 has used a credential stealer known as ZUMKONG that can harvest usernames and passwords stored in browsers.[1]
EnterpriseT1094Custom Command and Control ProtocolAPT37 credential stealer ZUMKONG emails credentials from the victim using HTTP POST requests.[1]
EnterpriseT1005Data from Local SystemAPT37 has collected data from victims' local systems.[1]
EnterpriseT1189Drive-by CompromiseAPT37 has used strategic web compromises, particularly of South Korean websites, to distribute malware. The group has also used torrent file-sharing sites to more indiscriminately disseminate malware to victims. As part of their compromises, the group has used a Javascript based profiler called RICECURRY to profile a victim's web browser and deliver malicious code accordingly.[2][1]
EnterpriseT1173Dynamic Data ExchangeAPT37 has used Windows DDE for execution of commands and a malicious VBS.[2]
EnterpriseT1106Execution through APIAPT37 leverages the Windows API calls: VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread() for process injection.[3]
EnterpriseT1203Exploitation for Client ExecutionAPT37 has used Flash Player (CVE-2016-4117, CVE-2018-4878) and Word (CVE-2017-0199) exploits for execution.[2][1][3]
EnterpriseT1107File DeletionAPT37 has access to destructive malware that is capable of overwriting a machine's Master Boot Record (MBR).[1][3]
EnterpriseT1027Obfuscated Files or InformationAPT37 sends images to users that are embedded with shellcode and obfuscates strings and payloads.[3]
EnterpriseT1057Process DiscoveryAPT37's Freenki malware lists running processes using the Microsoft Windows API.[3]
EnterpriseT1055Process InjectionAPT37 injects its malware variant, ROKRAT, into the cmd.exe process.[3]
EnterpriseT1060Registry Run Keys / Startup FolderAPT37's has added persistence via the Registry key HKCU\Software\Microsoft\CurrentVersion\Run\.[1][3]
EnterpriseT1105Remote File CopyAPT37 has downloaded second stage malware from compromised websites.[1]
EnterpriseT1064ScriptingAPT37 executes shellcode and a script to decode Base64 strings.[3]
EnterpriseT1193Spearphishing AttachmentAPT37 delivers malware using spearphishing emails with malicious HWP attachments.[1][3]
EnterpriseT1071Standard Application Layer ProtocolAPT37 uses HTTPS to conceal C2 communications.[3]
EnterpriseT1082System Information DiscoveryAPT37 collects the computer name, the BIOS model, and execution path.[3]
EnterpriseT1033System Owner/User DiscoveryAPT37 identifies the victim username.[3]
EnterpriseT1204User ExecutionAPT37 has sent spearphishing attachments attempting to get a user to open them.[1]
EnterpriseT1102Web ServiceAPT37 leverages social networking sites and cloud platforms (AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, and Box) for C2.[1][3]


S0212CORALDECKData Compressed, Data Encrypted, File and Directory Discovery, Standard Application Layer Protocol
S0213DOGCALLInput Capture, Screen Capture, Web Service
S0214HAPPYWORKRemote File Copy, System Information Discovery, System Owner/User Discovery
S0215KARAEDrive-by Compromise, Remote File Copy, System Information Discovery, Web Service
S0247NavRATCommand-Line Interface, Data Staged, Input Capture, Process Discovery, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Scripting, Standard Application Layer Protocol, System Information Discovery
S0216POORAIMDrive-by Compromise, File and Directory Discovery, Process Discovery, Screen Capture, System Information Discovery, Web Service
S0240ROKRATCredential Dumping, Exfiltration Over Command and Control Channel, Input Capture, Process Discovery, Query Registry, Remote File Copy, Screen Capture, Security Software Discovery, Standard Application Layer Protocol, System Information Discovery, Web Service
S0217SHUTTERSPEEDRemote File Copy, Screen Capture, System Information Discovery
S0218SLOWDRIFTRemote File Copy, System Information Discovery, Web Service
S0219WINERACKApplication Window Discovery, Command-Line Interface, File and Directory Discovery, Process Discovery, System Information Discovery, System Owner/User Discovery, System Service Discovery