Skip to content

G0067 APT37

APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.123

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

Item Value
ID G0067
Associated Names Richochet Chollima, InkySquid, ScarCruft, Reaper, Group123, TEMP.Reaper
Version 2.0
Created 18 April 2018
Last Modified 15 October 2021
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Richochet Chollima 4
InkySquid 5
ScarCruft 216
Reaper 1
Group123 1
TEMP.Reaper 1

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control APT37 has a function in the initial dropper to bypass Windows UAC in order to execute the next payload with higher privileges.6
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols APT37 uses HTTPS to conceal C2 communications.3
enterprise T1123 Audio Capture APT37 has used an audio capturing utility known as SOUNDWAVE that captures microphone input.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder APT37‘s has added persistence via the Registry key HKCU\Software\Microsoft\CurrentVersion\Run\.13
enterprise T1059 Command and Scripting Interpreter APT37 has used Ruby scripts to execute payloads.7
enterprise T1059.003 Windows Command Shell APT37 has used the command-line interface.13
enterprise T1059.005 Visual Basic APT37 executes shellcode and a VBA script to decode Base64 strings.3
enterprise T1059.006 Python APT37 has used Python scripts to execute payloads.7
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers APT37 has used a credential stealer known as ZUMKONG that can harvest usernames and passwords stored in browsers.1
enterprise T1005 Data from Local System APT37 has collected data from victims’ local systems.1
enterprise T1561 Disk Wipe -
enterprise T1561.002 Disk Structure Wipe APT37 has access to destructive malware that is capable of overwriting a machine’s Master Boot Record (MBR).13
enterprise T1189 Drive-by Compromise APT37 has used strategic web compromises, particularly of South Korean websites, to distribute malware. The group has also used torrent file-sharing sites to more indiscriminately disseminate malware to victims. As part of their compromises, the group has used a Javascript based profiler called RICECURRY to profile a victim’s web browser and deliver malicious code accordingly.215
enterprise T1203 Exploitation for Client Execution APT37 has used exploits for Flash Player (CVE-2016-4117, CVE-2018-4878), Word (CVE-2017-0199), Internet Explorer (CVE-2020-1380 and CVE-2020-26411), and Microsoft Edge (CVE-2021-26411) for execution.2135
enterprise T1105 Ingress Tool Transfer APT37 has downloaded second stage malware from compromised websites.1657
enterprise T1559 Inter-Process Communication -
enterprise T1559.002 Dynamic Data Exchange APT37 has used Windows DDE for execution of commands and a malicious VBS.2
enterprise T1036 Masquerading -
enterprise T1036.001 Invalid Code Signature APT37 has signed its malware with an invalid digital certificates listed as “Tencent Technology (Shenzhen) Company Limited.”2
enterprise T1106 Native API APT37 leverages the Windows API calls: VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread() for process injection.3
enterprise T1027 Obfuscated Files or Information APT37 obfuscates strings and payloads.367
enterprise T1027.003 Steganography APT37 uses steganography to send images to users that are embedded with shellcode.36
enterprise T1120 Peripheral Device Discovery APT37 has a Bluetooth device harvester, which uses Windows Bluetooth APIs to find information on connected Bluetooth devices. 6
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment APT37 delivers malware using spearphishing emails with malicious HWP attachments.136
enterprise T1057 Process Discovery APT37‘s Freenki malware lists running processes using the Microsoft Windows API.3
enterprise T1055 Process Injection APT37 injects its malware variant, ROKRAT, into the cmd.exe process.3
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task APT37 has created scheduled tasks to run malicious scripts on a compromised host.7
enterprise T1082 System Information Discovery APT37 collects the computer name, the BIOS model, and execution path.3
enterprise T1033 System Owner/User Discovery APT37 identifies the victim username.3
enterprise T1529 System Shutdown/Reboot APT37 has used malware that will issue the command shutdown /r /t 1 to reboot a system after wiping its MBR.3
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File APT37 has sent spearphishing attachments attempting to get a user to open them.1
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication APT37 leverages social networking sites and cloud platforms (AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, and Box) for C2.13

Software

ID Name References Techniques
S0657 BLUELIGHT 5 Web Protocols:Application Layer Protocol Archive Collected Data Archive via Custom Method:Archive Collected Data Credentials from Web Browsers:Credentials from Password Stores Exfiltration Over C2 Channel File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Obfuscated Files or Information Process Discovery Screen Capture Security Software Discovery:Software Discovery Steal Web Session Cookie System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Time Discovery System Checks:Virtualization/Sandbox Evasion Bidirectional Communication:Web Service
S0154 Cobalt Strike 5 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Domain Account:Account Discovery Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Application Layer Protocol BITS Jobs Browser Session Hijacking Visual Basic:Command and Scripting Interpreter Python:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Process Discovery Process Hollowing:Process Injection Process Injection Dynamic-link Library Injection:Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services SSH:Remote Services Remote Desktop Protocol:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0212 CORALDECK 1 Archive via Utility:Archive Collected Data Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol File and Directory Discovery
S0213 DOGCALL 18 Audio Capture Ingress Tool Transfer Keylogging:Input Capture Obfuscated Files or Information Screen Capture Bidirectional Communication:Web Service
S0355 Final1stspy 8 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Deobfuscate/Decode Files or Information Obfuscated Files or Information Process Discovery System Information Discovery
S0214 HAPPYWORK 1 Ingress Tool Transfer System Information Discovery System Owner/User Discovery
S0215 KARAE 1 Drive-by Compromise Ingress Tool Transfer System Information Discovery Bidirectional Communication:Web Service
S0247 NavRAT 9 Mail Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Local Data Staging:Data Staged Ingress Tool Transfer Keylogging:Input Capture Process Discovery Process Injection System Information Discovery
S0216 POORAIM 1 Drive-by Compromise File and Directory Discovery Process Discovery Screen Capture System Information Discovery Bidirectional Communication:Web Service
S0240 ROKRAT 36 Web Protocols:Application Layer Protocol Application Window Discovery Audio Capture Clipboard Data Visual Basic:Command and Scripting Interpreter Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Data from Local System Debugger Evasion Deobfuscate/Decode Files or Information Environmental Keying:Execution Guardrails Exfiltration Over C2 Channel Exfiltration to Cloud Storage:Exfiltration Over Web Service File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Obfuscated Files or Information Spearphishing Attachment:Phishing Process Discovery Process Injection Query Registry Screen Capture System Information Discovery System Owner/User Discovery Malicious File:User Execution System Checks:Virtualization/Sandbox Evasion Bidirectional Communication:Web Service
S0217 SHUTTERSPEED 1 Ingress Tool Transfer Screen Capture System Information Discovery
S0218 SLOWDRIFT 1 Ingress Tool Transfer System Information Discovery Bidirectional Communication:Web Service
S0219 WINERACK 1 Application Window Discovery Command and Scripting Interpreter File and Directory Discovery Process Discovery System Information Discovery System Owner/User Discovery System Service Discovery

References

  1. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018. 

  2. Raiu, C., and Ivanov, A. (2016, June 17). Operation Daybreak. Retrieved February 15, 2018. 

  3. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018. 

  4. CrowdStrike. (2021, September 30). Adversary Profile - Richochet Chollima. Retrieved September 30, 2021. 

  5. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021. 

  6. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019. 

  7. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021. 

  8. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.