Group: APT37, ScarCruft, ...

From enterprise
Jump to: navigation, search
APT37, ScarCruft, ...
ID G0067
Aliases APT37, ScarCruft, Reaper, Group123, TEMP.Reaper
Contributors Valerii Marchuk, Cybersecurity Help s.r.o.

APT37 is a suspected North Korean cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. The group was believed to be responsible for a 2016 campaign known as Operation Daybreak as well as an earlier campaign known as Operation Erebus.12

Alias Descriptions

  • APT37 - 1
  • ScarCruft - 21
  • Reaper - 1
  • Group123 - 1
  • TEMP.Reaper - 1

Techniques Used

  • Drive-by Compromise - APT37 has used strategic web compromises, particularly of South Korean websites, to distribute malware. The group has also used torrent file-sharing sites to more indiscriminately disseminate malware to victims. As part of their compromises, the group has used a Javascript based profiler called RICECURRY to profile a victim's web browser and deliver malicious code accordingly.12
  • Web Service - APT37 malware has used AOL Instant Messenger as well as pCloud and Dropbox APIs for C2.1
  • Remote File Copy - APT37 has downloaded second stage malware from compromised websites.1
  • File Deletion - APT37 has access to destructive malware known as RUHAPPY that is capable of overwriting a machine's Master Boot Record (MBR).1
  • Audio Capture - APT37 has used an audio capturing utility known as SOUNDWAVE that captures microphone input.1
  • Credential Dumping - APT37 has used a credential stealer known as ZUMKONG that can harvest usernames and passwords stored in browsers.1
  • Code Signing - APT37 has signed its malware with an invalid digital certificates listed as “Tencent Technology (Shenzhen) Company Limited.”2
  • User Execution - APT37 has sent spearphishing attachments attempting to get a user to open them.1