Introduction
APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018. FireEye APT37 Feb 2018 Securelist ScarCruft Jun 2016 Talos Group123 North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
Activities and Tactics
Targeted Sectors: Government, Private sector
Country of Origin: π°π΅ North Korea
Risk Level: High
First Seen: 2016
Last Activity: 2023
Suspected Victims: South Korea, Japan, Vietnam
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
- T1547.001 Registry Run Keys / Startup Folder
- T1120 Peripheral Device Discovery
- T1059.006 Python
- T1105 Ingress Tool Transfer
- T1071.001 Web Protocols
- T1027.003 Steganography
- T1102.002 Bidirectional Communication
- T1082 System Information Discovery
- T1204.002 Malicious File
- T1036.001 Invalid Code Signature
- T1548.002 Bypass User Account Control
- T1033 System Owner/User Discovery
- T1555.003 Credentials from Web Browsers
- T1529 System Shutdown/Reboot
- T1005 Data from Local System
- T1559.002 Dynamic Data Exchange
- T1106 Native API
- T1203 Exploitation for Client Execution
- T1055 Process Injection
- T1027 Obfuscated Files or Information
- T1189 Drive-by Compromise
- T1057 Process Discovery
- T1059 Command and Scripting Interpreter
- T1059.003 Windows Command Shell
- T1566.001 Spearphishing Attachment
- T1123 Audio Capture
- T1059.005 Visual Basic
- T1053.005 Scheduled Task
- T1561.002 Disk Structure Wipe
ATT&CK technique IDs (denormalized)
- T1005
- T1027
- T1027.003
- T1033
- T1036.001
- T1053.005
- T1055
- T1057
- T1059
- T1059.003
- T1059.005
- T1059.006
- T1071.001
- T1082
- T1102.002
- T1105
- T1106
- T1120
- T1123
- T1189
- T1203
- T1204.002
- T1529
- T1547.001
- T1548.002
- T1555.003
- T1559.002
- T1561.002
- T1566.001
Notable Indicators of Compromise (IOCs)
No atomic indicators are listed in this profile. The APTnotes snapshot indexes 3 public reports that may contain IOCs; see Source Attribution for dataset links.
Malware and Tools
- SPACESHIP
MITRE ATT&CK Software
- BLUELIGHT (S0657) β malware
- CORALDECK (S0212) β malware
- KARAE (S0215) β malware
- SLOWDRIFT (S0218) β malware
- ROKRAT (S0240) β malware
- SHUTTERSPEED (S0217) β malware
- POORAIM (S0216) β malware
- HAPPYWORK (S0214) β malware
- Final1stspy (S0355) β malware
- Cobalt Strike (S0154) β malware
- NavRAT (S0247) β malware
- DOGCALL (S0213) β malware
- WINERACK (S0219) β malware
Attribution and Evidence
Country of Origin: North Korea Additional attribution information pending cataloguing.
References
[1] mitre-attack [9] Volexity InkySquid BLUELIGHT August 2021 Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021. [10] CrowdStrike Richochet Chollima September 2021 CrowdStrike. (2021, September 30). Adversary Profile - Ricochet Chollima. Retrieved September 30, 2021. [11] FireEye APT37 Feb 2018 FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024. [12] Securelist ScarCruft May 2019 GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019. [13] Talos Group123 Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018. [14] Securelist ScarCruft Jun 2016 Raiu, C., and Ivanov, A. (2016, June 17). Operation Daybreak. Retrieved February 15, 2018.