North Korean APT Group tracked as APT37 broadens its horizons

Researchers at FireEye speculate that the APT group tracked as APT37 (aka Reaper, Group123, ScarCruft) operated on behalf of the North Korean government.

Here we are to speak about a nation-state actor dubbed APT37 (aka Reaper, Group123, ScarCruft) that is believed to be operating on behalf of the North Korean government.

APT37 has been active since at least 2012, it made the headlines in early February when researchers revealed that the APT group leveraged a zero-day vulnerability in Adobe Flash Player to deliver malware to South Korean users.

Cyber attacks conducted by the APT37 group mainly targeted government, defense, military, and media organizations in South Korea.

FireEye linked the APT37 group to the North Korean government based on the following clues:

• the use of a North Korean IP;
• malware compilation timestamps consistent with a developer operating in the North Korea time
  zone (UTC +8:30) and follows what is believed to be a typical North Korean workday;
• objectives that align with Pyongyang’s interests(i.e. organizations and individuals involved in Korean
  Peninsula reunification efforts);

Researchers from FireEye revealed that the nation-state actor also targeted entities in Japan, Vietnam, and even the Middle East in 2017. The hackers targeted organizations in the chemicals, manufacturing, electronics, aerospace, healthcare, and automotive sectors.

“APT37 has likely been active since at least 2012 and focuses on targeting the public and private sectors primarily in South Korea. In 2017, APT37 expanded its targeting beyond the Korean peninsula to include Japan, Vietnam and the Middle East, and to a wider range of industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities” reads the report published by FireEye.

Experts revealed that in 2017, the APT37 targeted a Middle Eastern company that entered into a joint venture with the North Korean government to provide telecommunications service to the country.

The hackers leveraged several vulnerabilities in Flash Player and in the Hangul Word Processor to deliver several types of malware.

The arsenal of the group includes the RUHAPPY wiper, the CORALDECK exfiltration tool, the GELCAPSULE and HAPPYWORK downloaders, the MILKDROP and SLOWDRIFT launchers, the ZUMKONG infostealer, the audio-capturing tool SOUNDWAVE, and backdoors tracked by FireEye as DOGCALL, KARAE, POORAIM, WINERACK and SHUTTERSPEED.

“North Korea has repeatedly demonstrated a willingness to leverage its cyber capabilities for a variety of purposes, undeterred by notional redlines and international norms. Though they have primarily tapped other tracked suspected North Korean teams to carry out the most aggressive actions, APT37 is an additional tool available to the regime, perhaps even desirable for its relative obscurity.” concludes FireEye.

“We anticipate APT37 will be leveraged more and more in previously unfamiliar roles and regions, especially as pressure mounts on their sponsor.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – North Korea, APT37)

[adrotate banner=”5″]

[adrotate banner=”13″]