Threat_Actor_Profiles

Threat Actor Profile: APT37

ByThreat Analyst

27 July 2023 , , ,

Introduction

APT37, also known as Reaper, Group123, Ricochet Chollima, StarCruft, and Scarcruft, is a cyber espionage group that has been active since at least 2012. The group is known to be based in North Korea and is believed to be sponsored by the North Korean government. APT37 has targeted victims primarily located in South Korea, but has also targeted Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East.

APT37 is known for its focus on public and private entities primarily associated with South Korea, including government, defence, industrial, and healthcare organisations. The group has also targeted human rights activists, individuals involved in the Olympics, and organisations involved in cryptocurrency. APT37’s operations have included zero-day vulnerabilities and destructive malware, indicating a highly sophisticated threat actor.

Timeline of Incidents

  • 2012 to Early 2017: APT37’s activities were largely confined to South Korea. The group used social engineering tactics to target South Korean government, military, and defence industry organisations, as well as North Korean defectors and human rights activists.
  • January 2017: APT37 was observed using a zero-day vulnerability (CVE-2018-4878) in Adobe Flash. The group sent spear-phishing emails to a South Korean government agency using a document that appeared to be related to North Korea’s nuclear issues.
  • Late 2017 to 2018: APT37 expanded its targeting to include Middle Eastern organisations. The group was also linked to a destructive wiper attack against a Middle Eastern organisation where the malware overwrote the master boot record (MBR) of the infected machine.
  • 2019: APT37 was linked to a spear-phishing campaign against South Korean users. The campaign used a Hangul Word Processor document that exploited a zero-day vulnerability (CVE-2019-0561) in Microsoft Internet Explorer.
  • 2020: APT37 was observed using a new malware family, KARAE, to target South Korean government agencies. The group also used COVID-19-themed lures in spear-phishing attacks.
  • 2021: APT37 was linked to a series of spear-phishing attacks against South Korean journalists. The group used a document that appeared to be a request for a television appearance.
  • 2022: APT37 was observed using a new backdoor, COPPERHEDGE, to target cryptocurrency organisations in South Korea and the United States. The group also used a new malware family, TAINTEDSCRIBE, in spear-phishing attacks against South Korean government agencies.
  • 2023: APT37 was linked to a series of spear-phishing attacks against South Korean and Japanese organisations involved in the Olympics. The group used a document that appeared to be related to the Tokyo 2020 Olympics.

Indicators of Compromise (IOCs)

APT37 has been associated with a number of different malware families and vulnerabilities, including:

  • CVE-2021-26411Microsoft Advisory | NVD
    • Description: This is a remote code execution vulnerability that exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
    • Exploitation: An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.
  • CVE-2020-1380Microsoft Advisory | NVD
    • Description: This is a remote code execution vulnerability that exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
    • Exploitation: An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.
  • CVE-2020-0986Microsoft Advisory | NVD
    • Description: This is an elevation of privilege vulnerability that exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges.
    • Exploitation: An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • CVE-2020-17087Microsoft Advisory | NVD
    • Description: This is a Windows Kernel Local Elevation of Privilege Vulnerability. An elevation of privilege vulnerability exists when the Windows Kernel fails to properly handle objects in memory.
    • Exploitation: An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • CVE-2020-15999Google Advisory | NVD
    • Description: This is a heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
    • Exploitation: A remote attacker could potentially exploit this vulnerability to cause a heap corruption via a crafted HTML page.
  • CVE-2021-24093Microsoft Advisory | NVD
    • Description: This is a remote code execution vulnerability exists in the way that the Windows Graphics Component handles objects in memory.
    • Exploitation: An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

MITRE ATT&CK TTPs

APT37 has been observed using a number of different techniques mapped to the MITRE ATT&CK framework, including:

  • T1566.001: Phishing: Spearphishing Attachment
  • T1204.002: User Execution: Malicious File
  • T1059.003: Command and Scripting Interpreter: Windows Command Shell
  • T1027: Obfuscated Files or Information
  • T1071.001: Application Layer Protocol: Web Protocols

Further Reading

For more detailed information on APT37, you can refer to the following resources:

ByThreat Analyst

Related Post

Articles Industry_News Threat_Actor_Profiles

Evil Corp and LockBit Connection Exposed: NCA Unmasks Cybercrime Kingpin

1 October 2024 Threat Analyst
Articles Techniques_Tactics_Procedures Threat_Actor_Profiles

Leveraging Windows Event Logs to Identify Human-Operated Ransomware: Insights from JPCERT/CC

30 September 2024 Threat Analyst
Threat_Actor_Profiles

Peaklight Malware: A Stealthy Memory-Only Threat Leveraging Known Vulnerabilities

25 September 2024 Threat Analyst

You missed

Incident_Reports

Cisco Investigates Data Breach: Sensitive Information Reportedly For Sale on Hacking Forum

15 October 2024 Threat Analyst
Articles Vulnerabilities_Exploits

Nation-State Adversaries Exploit Ivanti CSA Zero-Days: A Deep Dive into Targeted Attacks and Vulnerability History

15 October 2024 Threat Analyst
Vulnerabilities_Exploits

Ivanti CSA Hit with Three New Zero-Day Vulnerabilities in Active Exploitation

9 October 2024 Threat Analyst
Articles Techniques_Tactics_Procedures

File Hosting Services Misused for Identity Phishing: Microsoft’s Analysis

9 October 2024 Threat Analyst