Introduction
APT37, also known as Reaper, Group123, Ricochet Chollima, StarCruft, and Scarcruft, is a cyber espionage group that has been active since at least 2012. The group is known to be based in North Korea and is believed to be sponsored by the North Korean government. APT37 has targeted victims primarily located in South Korea, but has also targeted Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East.
APT37 is known for its focus on public and private entities primarily associated with South Korea, including government, defence, industrial, and healthcare organisations. The group has also targeted human rights activists, individuals involved in the Olympics, and organisations involved in cryptocurrency. APT37’s operations have included zero-day vulnerabilities and destructive malware, indicating a highly sophisticated threat actor.
Timeline of Incidents
- 2012 to Early 2017: APT37’s activities were largely confined to South Korea. The group used social engineering tactics to target South Korean government, military, and defence industry organisations, as well as North Korean defectors and human rights activists.
- January 2017: APT37 was observed using a zero-day vulnerability (CVE-2018-4878) in Adobe Flash. The group sent spear-phishing emails to a South Korean government agency using a document that appeared to be related to North Korea’s nuclear issues.
- Late 2017 to 2018: APT37 expanded its targeting to include Middle Eastern organisations. The group was also linked to a destructive wiper attack against a Middle Eastern organisation where the malware overwrote the master boot record (MBR) of the infected machine.
- 2019: APT37 was linked to a spear-phishing campaign against South Korean users. The campaign used a Hangul Word Processor document that exploited a zero-day vulnerability (CVE-2019-0561) in Microsoft Internet Explorer.
- 2020: APT37 was observed using a new malware family, KARAE, to target South Korean government agencies. The group also used COVID-19-themed lures in spear-phishing attacks.
- 2021: APT37 was linked to a series of spear-phishing attacks against South Korean journalists. The group used a document that appeared to be a request for a television appearance.
- 2022: APT37 was observed using a new backdoor, COPPERHEDGE, to target cryptocurrency organisations in South Korea and the United States. The group also used a new malware family, TAINTEDSCRIBE, in spear-phishing attacks against South Korean government agencies.
- 2023: APT37 was linked to a series of spear-phishing attacks against South Korean and Japanese organisations involved in the Olympics. The group used a document that appeared to be related to the Tokyo 2020 Olympics.
Indicators of Compromise (IOCs)
APT37 has been associated with a number of different malware families and vulnerabilities, including:
- CVE-2021-26411 – Microsoft Advisory | NVD
- Description: This is a remote code execution vulnerability that exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
- Exploitation: An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.
- CVE-2020-1380 – Microsoft Advisory | NVD
- Description: This is a remote code execution vulnerability that exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
- Exploitation: An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.
- CVE-2020-0986 – Microsoft Advisory | NVD
- Description: This is an elevation of privilege vulnerability that exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges.
- Exploitation: An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- CVE-2020-17087 – Microsoft Advisory | NVD
- Description: This is a Windows Kernel Local Elevation of Privilege Vulnerability. An elevation of privilege vulnerability exists when the Windows Kernel fails to properly handle objects in memory.
- Exploitation: An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- CVE-2020-15999 – Google Advisory | NVD
- Description: This is a heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- Exploitation: A remote attacker could potentially exploit this vulnerability to cause a heap corruption via a crafted HTML page.
- CVE-2021-24093 – Microsoft Advisory | NVD
- Description: This is a remote code execution vulnerability exists in the way that the Windows Graphics Component handles objects in memory.
- Exploitation: An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
MITRE ATT&CK TTPs
APT37 has been observed using a number of different techniques mapped to the MITRE ATT&CK framework, including:
- T1566.001: Phishing: Spearphishing Attachment
- T1204.002: User Execution: Malicious File
- T1059.003: Command and Scripting Interpreter: Windows Command Shell
- T1027: Obfuscated Files or Information
- T1071.001: Application Layer Protocol: Web Protocols
Further Reading
For more detailed information on APT37, you can refer to the following resources:
- FireEye’s APT37 (Reaper) Report
- CrowdStrike’s 2020 Global Threat Report
- Kaspersky’s APT trends report Q1 2021
- Recorded Future’s Analysis of North Korea Cyber Threats