APT37

APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.[1][2][3]

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

ID: G0067
Associated Groups: Richochet Chollima, InkySquid, ScarCruft, Reaper, Group123, TEMP.Reaper
Contributors: Valerii Marchuk, Cybersecurity Help s.r.o.
Version: 2.0
Created: 18 April 2018
Last Modified: 15 October 2021

Associated Group Descriptions

Name Description
Richochet Chollima

[4]

InkySquid

[5]

ScarCruft

[2][1][6]

Reaper

[1]

Group123

[1]

TEMP.Reaper

[1]

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

APT37 has a function in the initial dropper to bypass Windows UAC in order to execute the next payload with higher privileges.[6]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

APT37 uses HTTPS to conceal C2 communications.[3]

Enterprise T1123 Audio Capture

APT37 has used an audio capturing utility known as SOUNDWAVE that captures microphone input.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

APT37's has added persistence via the Registry key HKCU\Software\Microsoft\CurrentVersion\Run\.[1][3]

Enterprise T1059 Command and Scripting Interpreter

APT37 has used Ruby scripts to execute payloads.[7]

.003 Windows Command Shell

APT37 has used the command-line interface.[1][3]

.005 Visual Basic

APT37 executes shellcode and a VBA script to decode Base64 strings.[3]

.006 Python

APT37 has used Python scripts to execute payloads.[7]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

APT37 has used a credential stealer known as ZUMKONG that can harvest usernames and passwords stored in browsers.[1]

Enterprise T1005 Data from Local System

APT37 has collected data from victims' local systems.[1]

Enterprise T1561 .002 Disk Wipe: Disk Structure Wipe

APT37 has access to destructive malware that is capable of overwriting a machine's Master Boot Record (MBR).[1][3]

Enterprise T1189 Drive-by Compromise

APT37 has used strategic web compromises, particularly of South Korean websites, to distribute malware. The group has also used torrent file-sharing sites to more indiscriminately disseminate malware to victims. As part of their compromises, the group has used a Javascript based profiler called RICECURRY to profile a victim's web browser and deliver malicious code accordingly.[2][1][5]

Enterprise T1203 Exploitation for Client Execution

APT37 has used exploits for Flash Player (CVE-2016-4117, CVE-2018-4878), Word (CVE-2017-0199), Internet Explorer (CVE-2020-1380 and CVE-2020-26411), and Microsoft Edge (CVE-2021-26411) for execution.[2][1][3][5]

Enterprise T1105 Ingress Tool Transfer

APT37 has downloaded second stage malware from compromised websites.[1][6][5][7]

Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

APT37 has used Windows DDE for execution of commands and a malicious VBS.[2]

Enterprise T1036 .001 Masquerading: Invalid Code Signature

APT37 has signed its malware with an invalid digital certificates listed as "Tencent Technology (Shenzhen) Company Limited."[2]

Enterprise T1106 Native API

APT37 leverages the Windows API calls: VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread() for process injection.[3]

Enterprise T1027 Obfuscated Files or Information

APT37 obfuscates strings and payloads.[3][6][7]

.003 Steganography

APT37 uses steganography to send images to users that are embedded with shellcode.[3][6]

Enterprise T1120 Peripheral Device Discovery

APT37 has a Bluetooth device harvester, which uses Windows Bluetooth APIs to find information on connected Bluetooth devices. [6]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

APT37 delivers malware using spearphishing emails with malicious HWP attachments.[1][3][6]

Enterprise T1057 Process Discovery

APT37's Freenki malware lists running processes using the Microsoft Windows API.[3]

Enterprise T1055 Process Injection

APT37 injects its malware variant, ROKRAT, into the cmd.exe process.[3]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

APT37 has created scheduled tasks to run malicious scripts on a compromised host.[7]

Enterprise T1082 System Information Discovery

APT37 collects the computer name, the BIOS model, and execution path.[3]

Enterprise T1033 System Owner/User Discovery

APT37 identifies the victim username.[3]

Enterprise T1529 System Shutdown/Reboot

APT37 has used malware that will issue the command shutdown /r /t 1 to reboot a system after wiping its MBR.[3]

Enterprise T1204 .002 User Execution: Malicious File

APT37 has sent spearphishing attachments attempting to get a user to open them.[1]

Enterprise T1102 .002 Web Service: Bidirectional Communication

APT37 leverages social networking sites and cloud platforms (AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, and Box) for C2.[1][3]

Software

ID Name References Techniques
S0657 BLUELIGHT [5] Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Custom Method, Archive Collected Data, Credentials from Password Stores: Credentials from Web Browsers, Exfiltration Over C2 Channel, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information, Process Discovery, Screen Capture, Software Discovery: Security Software Discovery, Steal Web Session Cookie, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery, Virtualization/Sandbox Evasion: System Checks, Web Service: Bidirectional Communication
S0154 Cobalt Strike [5] Abuse Elevation Control Mechanism: Bypass User Account Control, Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Access Token Manipulation: Make and Impersonate Token, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Token Impersonation/Theft, Account Discovery: Domain Account, Application Layer Protocol, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Hide Artifacts: Process Argument Spoofing, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Multiband Communication, Native API, Network Service Discovery, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: Domain Fronting, Proxy: Internal Proxy, Query Registry, Reflective Code Loading, Remote Services: Windows Remote Management, Remote Services: Remote Desktop Protocol, Remote Services: SMB/Windows Admin Shares, Remote Services: Distributed Component Object Model, Remote Services: SSH, Remote System Discovery, Scheduled Transfer, Screen Capture, Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Rundll32, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Domain Accounts, Valid Accounts: Local Accounts, Windows Management Instrumentation
S0212 CORALDECK [1] Archive Collected Data: Archive via Utility, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, File and Directory Discovery
S0213 DOGCALL [1][8] Audio Capture, Ingress Tool Transfer, Input Capture: Keylogging, Obfuscated Files or Information, Screen Capture, Web Service: Bidirectional Communication
S0355 Final1stspy [8] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Deobfuscate/Decode Files or Information, Obfuscated Files or Information, Process Discovery, System Information Discovery
S0214 HAPPYWORK [1] Ingress Tool Transfer, System Information Discovery, System Owner/User Discovery
S0215 KARAE [1] Drive-by Compromise, Ingress Tool Transfer, System Information Discovery, Web Service: Bidirectional Communication
S0247 NavRAT [9] Application Layer Protocol: Mail Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data Staged: Local Data Staging, Ingress Tool Transfer, Input Capture: Keylogging, Process Discovery, Process Injection, System Information Discovery
S0216 POORAIM [1] Drive-by Compromise, File and Directory Discovery, Process Discovery, Screen Capture, System Information Discovery, Web Service: Bidirectional Communication
S0240 ROKRAT [3][6] Application Layer Protocol: Web Protocols, Application Window Discovery, Audio Capture, Clipboard Data, Command and Scripting Interpreter: Visual Basic, Credentials from Password Stores: Windows Credential Manager, Credentials from Password Stores: Credentials from Web Browsers, Data from Local System, Debugger Evasion, Deobfuscate/Decode Files or Information, Execution Guardrails: Environmental Keying, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Cloud Storage, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Obfuscated Files or Information, Phishing: Spearphishing Attachment, Process Discovery, Process Injection, Query Registry, Screen Capture, System Information Discovery, System Owner/User Discovery, User Execution: Malicious File, Virtualization/Sandbox Evasion: System Checks, Web Service: Bidirectional Communication
S0217 SHUTTERSPEED [1] Ingress Tool Transfer, Screen Capture, System Information Discovery
S0218 SLOWDRIFT [1] Ingress Tool Transfer, System Information Discovery, Web Service: Bidirectional Communication
S0219 WINERACK [1] Application Window Discovery, Command and Scripting Interpreter, File and Directory Discovery, Process Discovery, System Information Discovery, System Owner/User Discovery, System Service Discovery

References