1. Home
  2. Groups
  3. APT37

APT37

APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.[1][2][3]

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

ID: G0067
Associated Groups: InkySquid, ScarCruft, Reaper, Group123, TEMP.Reaper, Ricochet Chollima
Contributors: Valerii Marchuk, Cybersecurity Help s.r.o.
Version: 2.0
Created: 18 April 2018
Last Modified: 26 June 2023

Associated Group Descriptions

Name Description
InkySquid

[4]
ScarCruft

[2][1][5]
Reaper

[1]
Group123

[1]
TEMP.Reaper

[1]
Ricochet Chollima

[6]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1555 .003 从密码存储中获取凭证: Credentials from Web Browsers

APT37 has used a credential stealer known as ZUMKONG that can harvest usernames and passwords stored in browsers.[1]
Enterprise T1005 从本地系统获取数据

APT37 has collected data from victims' local systems.[1]
Enterprise T1036 .001 伪装: Invalid Code Signature

APT37 has signed its malware with an invalid digital certificates listed as "Tencent Technology (Shenzhen) Company Limited."[2]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

APT37's has added persistence via the Registry key HKCU\Software\Microsoft\CurrentVersion\Run\.[1][3]
Enterprise T1059 命令与脚本解释器

APT37 has used Ruby scripts to execute payloads.[7]
.003 Windows Command Shell

APT37 has used the command-line interface.[1][3]
.005 Visual Basic

APT37 executes shellcode and a VBA script to decode Base64 strings.[3]
.006 Python

APT37 has used Python scripts to execute payloads.[7]
Enterprise T1120 外围设备发现

APT37 has a Bluetooth device harvester, which uses Windows Bluetooth APIs to find information on connected Bluetooth devices. [5]
Enterprise T1203 客户端执行漏洞利用

APT37 has used exploits for Flash Player (CVE-2016-4117, CVE-2018-4878), Word (CVE-2017-0199), Internet Explorer (CVE-2020-1380 and CVE-2020-26411), and Microsoft Edge (CVE-2021-26411) for execution.[2][1][3][4]
Enterprise T1071 .001 应用层协议: Web Protocols

APT37 uses HTTPS to conceal C2 communications.[3]
Enterprise T1106 本机API

APT37 leverages the Windows API calls: VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread() for process injection.[3]
Enterprise T1189 浏览器攻击

APT37 has used strategic web compromises, particularly of South Korean websites, to distribute malware. The group has also used torrent file-sharing sites to more indiscriminately disseminate malware to victims. As part of their compromises, the group has used a Javascript based profiler called RICECURRY to profile a victim's web browser and deliver malicious code accordingly.[2][1][4]
Enterprise T1027 混淆文件或信息

APT37 obfuscates strings and payloads.[3][5][7]
.003 Steganography

APT37 uses steganography to send images to users that are embedded with shellcode.[3][5]
Enterprise T1548 .002 滥用权限提升控制机制: Bypass User Account Control

APT37 has a function in the initial dropper to bypass Windows UAC in order to execute the next payload with higher privileges.[5]
Enterprise T1204 .002 用户执行: Malicious File

APT37 has sent spearphishing attachments attempting to get a user to open them.[1]
Enterprise T1561 .002 磁盘擦除: Disk Structure Wipe

APT37 has access to destructive malware that is capable of overwriting a machine's Master Boot Record (MBR).[1][3]
Enterprise T1082 系统信息发现

APT37 collects the computer name, the BIOS model, and execution path.[3]
Enterprise T1529 系统关机/重启

APT37 has used malware that will issue the command shutdown /r /t 1 to reboot a system after wiping its MBR.[3]
Enterprise T1033 系统所有者/用户发现

APT37 identifies the victim username.[3]
Enterprise T1102 .002 网络服务: Bidirectional Communication

APT37 leverages social networking sites and cloud platforms (AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, and Box) for C2.[1][3]
Enterprise T1105 输入工具传输

APT37 has downloaded second stage malware from compromised websites.[1][5][4][7]
Enterprise T1057 进程发现

APT37's Freenki malware lists running processes using the Microsoft Windows API.[3]
Enterprise T1055 进程注入

APT37 injects its malware variant, ROKRAT, into the cmd.exe process.[3]
Enterprise T1559 .002 进程间通信: Dynamic Data Exchange

APT37 has used Windows DDE for execution of commands and a malicious VBS.[2]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

APT37 delivers malware using spearphishing emails with malicious HWP attachments.[1][3][5]
Enterprise T1123 音频捕获

APT37 has used an audio capturing utility known as SOUNDWAVE that captures microphone input.[1]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

APT37 has created scheduled tasks to run malicious scripts on a compromised host.[7]

Software

ID Name References Techniques
S0657 BLUELIGHT [4] 从密码存储中获取凭证: Credentials from Web Browsers, 屏幕捕获, 应用层协议: Web Protocols, 归档收集数据: Archive via Custom Method, 归档收集数据, 文件和目录发现, 混淆文件或信息: Encrypted/Encoded File, 移除指标: File Deletion, 窃取Web会话Cookie, 系统信息发现, 系统所有者/用户发现, 系统时间发现, 系统网络配置发现, 网络服务: Bidirectional Communication, 虚拟化/沙盒规避: System Checks, 软件发现: Security Software Discovery, 输入工具传输, 进程发现, 通过C2信道渗出
S0154 Cobalt Strike [4] BITS任务, Windows管理规范, 从本地系统获取数据, 代理: Domain Fronting, 代理: Internal Proxy, 使用备用认证材料: Pass the Hash, 修改注册表, 创建或修改系统进程: Windows Service, 办公应用启动: Office Template Macros, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 协议隧道, 反射性代码加载, 反混淆/解码文件或信息, 命令与脚本解释器: JavaScript, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Python, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 客户端执行漏洞利用, 屏幕捕获, 应用层协议: DNS, 应用层协议: Web Protocols, 应用层协议: File Transfer Protocols, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 数据传输大小限制, 数据混淆: Protocol or Service Impersonation, 数据编码: Standard Encoding, 文件和目录发现, 有效账户: Domain Accounts, 有效账户: Local Accounts, 本机API, 权限提升漏洞利用, 权限组发现: Domain Groups, 权限组发现: Local Groups, 查询注册表, 浏览器会话劫持, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息, 滥用权限提升控制机制: Sudo and Sudo Caching, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: Timestomp, 系统二进制代理执行: Rundll32, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 网络服务发现, 访问令牌操控: Parent PID Spoofing, 访问令牌操控: Token Impersonation/Theft, 访问令牌操控: Make and Impersonate Token, 账号发现: Domain Account, 软件发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 进程注入: Process Hollowing, 进程注入, 远程服务: Remote Desktop Protocol, 远程服务: SSH, 远程服务: Windows Remote Management, 远程服务: SMB/Windows Admin Shares, 远程服务: Distributed Component Object Model, 远程系统发现, 隐藏伪装: Process Argument Spoofing, 非应用层协议, 预定传输, 颠覆信任控制: Code Signing
S0212 CORALDECK [1] 归档收集数据: Archive via Utility, 文件和目录发现, 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol
S0213 DOGCALL [1][8] 屏幕捕获, 混淆文件或信息: Encrypted/Encoded File, 网络服务: Bidirectional Communication, 输入工具传输, 输入捕获: Keylogging, 音频捕获
S0355 Final1stspy [8] 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 应用层协议: Web Protocols, 混淆文件或信息, 系统信息发现, 进程发现
S0214 HAPPYWORK [1] 系统信息发现, 系统所有者/用户发现, 输入工具传输
S0215 KARAE [1] 浏览器攻击, 系统信息发现, 网络服务: Bidirectional Communication, 输入工具传输
S0247 NavRAT [9] 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 应用层协议: Mail Protocols, 数据分段: Local Data Staging, 系统信息发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入
S0216 POORAIM [1] 屏幕捕获, 文件和目录发现, 浏览器攻击, 系统信息发现, 网络服务: Bidirectional Communication, 进程发现
S0240 ROKRAT [3][5] 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 从本地系统获取数据, 修改注册表, 剪贴板数据, 反混淆/解码文件或信息, 命令与脚本解释器: Visual Basic, 屏幕捕获, 应用层协议: Web Protocols, 应用窗口发现, 执行保护: Environmental Keying, 文件和目录发现, 本机API, 查询注册表, 混淆文件或信息, 用户执行: Malicious File, 移除指标: File Deletion, 系统信息发现, 系统所有者/用户发现, 网络服务: Bidirectional Communication, 虚拟化/沙盒规避: System Checks, 调试器规避, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入, 通过C2信道渗出, 通过网络服务渗出: Exfiltration to Cloud Storage, 钓鱼: Spearphishing Attachment, 音频捕获
S0217 SHUTTERSPEED [1] 屏幕捕获, 系统信息发现, 输入工具传输
S0218 SLOWDRIFT [1] 系统信息发现, 网络服务: Bidirectional Communication, 输入工具传输
S0219 WINERACK [1] 命令与脚本解释器, 应用窗口发现, 文件和目录发现, 系统信息发现, 系统所有者/用户发现, 系统服务发现, 进程发现

References

  1. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  2. Raiu, C., and Ivanov, A. (2016, June 17). Operation Daybreak. Retrieved February 15, 2018.
  3. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  4. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
  5. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  1. CrowdStrike. (2021, September 30). Adversary Profile - Ricochet Chollima. Retrieved September 30, 2021.
  2. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
  3. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
  4. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.