DOGCALL is a backdoor used by APT37 that has been used to target South Korean government and military organizations in 2017. It is typically dropped using a Hangul Word Processor (HWP) exploit. ^[1]

ID: S0213

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.2

Created: 18 April 2018

Last Modified: 30 March 2020

Techniques Used

Domain	ID		Name	Use
Enterprise	T1123		Audio Capture	DOGCALL can capture microphone data from the victim's machine.^[2]
Enterprise	T1105		Ingress Tool Transfer	DOGCALL can download and execute additional payloads.^[2]
Enterprise	T1056	.001	Input Capture: Keylogging	DOGCALL is capable of logging keystrokes.^[1]^[2]
Enterprise	T1027		Obfuscated Files or Information	DOGCALL is encrypted using single-byte XOR.^[2]
Enterprise	T1113		Screen Capture	DOGCALL is capable of capturing screenshots of the victim's machine.^[1]^[2]
Enterprise	T1102	.002	Web Service: Bidirectional Communication	DOGCALL is capable of leveraging cloud storage APIs such as Cloud, Box, Dropbox, and Yandex for C2.^[1]^[2]

Groups That Use This Software

ID	Name	References
G0067	APT37	^[1]^[2]

References

FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.

Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.

DOGCALL

Enterprise Layer

Techniques Used

Groups That Use This Software

References