Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа APT37
Риски
Каталоги
MITRE ATT&CK
Преступная группа
APT37
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

APT37

APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.(Citation: FireEye APT37 Feb 2018)(Citation: Securelist ScarCruft Jun 2016)(Citation: Talos Group123) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
ID: G0067
Associated Groups: InkySquid, ScarCruft, TEMP.Reaper, Group123, Reaper, Ricochet Chollima
Version: 2.0
Created: 18 Apr 2018
Last Modified: 17 Nov 2024

Associated Group Descriptions
Name Description
InkySquid (Citation: Volexity InkySquid BLUELIGHT August 2021)
ScarCruft (Citation: Securelist ScarCruft Jun 2016)(Citation: FireEye APT37 Feb 2018)(Citation: Securelist ScarCruft May 2019)
TEMP.Reaper (Citation: FireEye APT37 Feb 2018)
Group123 (Citation: FireEye APT37 Feb 2018)
Reaper (Citation: FireEye APT37 Feb 2018)
Ricochet Chollima (Citation: CrowdStrike Richochet Chollima September 2021)

Techniques Used
Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

APT37 has a function in the initial dropper to bypass Windows UAC in order to execute the next payload with higher privileges.(Citation: Securelist ScarCruft May 2019)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

APT37 uses HTTPS to conceal C2 communications.(Citation: Talos Group123)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

APT37's has added persistence via the Registry key HKCU\Software\Microsoft\CurrentVersion\Run\.(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123)
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

APT37 has used the command-line interface.(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123)
.005 Command and Scripting Interpreter: Visual Basic

APT37 executes shellcode and a VBA script to decode Base64 strings.(Citation: Talos Group123)

.006 Command and Scripting Interpreter: Python

APT37 has used Python scripts to execute payloads.(Citation: Volexity InkySquid RokRAT August 2021)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

APT37 has used a credential stealer known as ZUMKONG that can harvest usernames and passwords stored in browsers.(Citation: FireEye APT37 Feb 2018)
Enterprise T1561 .002 Disk Wipe: Disk Structure Wipe

APT37 has access to destructive malware that is capable of overwriting a machine's Master Boot Record (MBR).(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123)
Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

APT37 has used Windows DDE for execution of commands and a malicious VBS.(Citation: Securelist ScarCruft Jun 2016)
Enterprise T1036 .001 Masquerading: Invalid Code Signature

APT37 has signed its malware with an invalid digital certificates listed as “Tencent Technology (Shenzhen) Company Limited.”(Citation: Securelist ScarCruft Jun 2016)
Enterprise T1027 .003 Obfuscated Files or Information: Steganography

APT37 uses steganography to send images to users that are embedded with shellcode.(Citation: Talos Group123)(Citation: Securelist ScarCruft May 2019)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

APT37 delivers malware using spearphishing emails with malicious HWP attachments.(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123)(Citation: Securelist ScarCruft May 2019)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

APT37 has created scheduled tasks to run malicious scripts on a compromised host.(Citation: Volexity InkySquid RokRAT August 2021)
Enterprise T1204 .002 User Execution: Malicious File

APT37 has sent spearphishing attachments attempting to get a user to open them.(Citation: FireEye APT37 Feb 2018)
Enterprise T1102 .002 Web Service: Bidirectional Communication

APT37 leverages social networking sites and cloud platforms (AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, and Box) for C2.(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123)

Software
ID Name References Techniques
S0213 DOGCALL (Citation: FireEye APT37 Feb 2018) (Citation: Unit 42 Nokki Oct 2018) Screen Capture, Keylogging, Encrypted/Encoded File, Audio Capture, Bidirectional Communication, Ingress Tool Transfer
S0214 HAPPYWORK (Citation: FireEye APT37 Feb 2018) System Owner/User Discovery, System Information Discovery, Ingress Tool Transfer
S0215 KARAE (Citation: FireEye APT37 Feb 2018) System Information Discovery, Bidirectional Communication, Drive-by Compromise, Ingress Tool Transfer
S0218 SLOWDRIFT (Citation: FireEye APT37 Feb 2018) System Information Discovery, Bidirectional Communication, Ingress Tool Transfer
S0217 SHUTTERSPEED (Citation: FireEye APT37 Feb 2018) Screen Capture, System Information Discovery, Ingress Tool Transfer
S0219 WINERACK (Citation: FireEye APT37 Feb 2018) System Owner/User Discovery, System Service Discovery, System Information Discovery, Application Window Discovery, Command and Scripting Interpreter, File and Directory Discovery, Process Discovery
S0247 NavRAT (Citation: Talos NavRAT May 2018) Keylogging, Local Data Staging, System Information Discovery, Process Injection, Mail Protocols, Process Discovery, Registry Run Keys / Startup Folder, Windows Command Shell, Ingress Tool Transfer
S0216 POORAIM (Citation: FireEye APT37 Feb 2018) Screen Capture, System Information Discovery, File and Directory Discovery, Process Discovery, Bidirectional Communication, Drive-by Compromise
S0240 ROKRAT (Citation: Securelist ScarCruft May 2019) (Citation: Talos Group123) (Citation: Talos ROKRAT 2) (Citation: Talos ROKRAT) (Citation: Volexity InkySquid RokRAT August 2021) Screen Capture, System Owner/User Discovery, Keylogging, Audio Capture, Malicious File, System Checks, Spearphishing Attachment, Clipboard Data, System Information Discovery, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Application Window Discovery, Modify Registry, Credentials from Web Browsers, File and Directory Discovery, Process Discovery, Exfiltration Over C2 Channel, Obfuscated Files or Information, Bidirectional Communication, Exfiltration to Cloud Storage, Query Registry, Windows Credential Manager, File Deletion, Web Protocols, Visual Basic, Debugger Evasion, Ingress Tool Transfer, Environmental Keying
S0212 CORALDECK (Citation: FireEye APT37 Feb 2018) Archive via Utility, File and Directory Discovery, Exfiltration Over Unencrypted Non-C2 Protocol
S0657 BLUELIGHT (Citation: Volexity InkySquid BLUELIGHT August 2021) Screen Capture, System Owner/User Discovery, Encrypted/Encoded File, Steal Web Session Cookie, Archive via Custom Method, System Checks, System Information Discovery, Archive Collected Data, Credentials from Web Browsers, System Network Configuration Discovery, File and Directory Discovery, Process Discovery, Exfiltration Over C2 Channel, Bidirectional Communication, Security Software Discovery, File Deletion, Web Protocols, Ingress Tool Transfer, System Time Discovery
S0355 Final1stspy (Citation: Unit 42 Nokki Oct 2018) System Information Discovery, Deobfuscate/Decode Files or Information, Process Discovery, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Web Protocols
S0154 Cobalt Strike (Citation: Volexity InkySquid BLUELIGHT August 2021) (Citation: cobaltstrike manual) Windows Management Instrumentation, Screen Capture, Rundll32, Standard Encoding, Keylogging, JavaScript, Bypass User Account Control, Sudo and Sudo Caching, Security Account Manager, DNS, Domain Account, Symmetric Cryptography, Windows Service, Domain Groups, SSH, System Service Discovery, Code Signing, Network Share Discovery, Application Layer Protocol, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Timestomp, Reflective Code Loading, Scheduled Transfer, SMB/Windows Admin Shares, Protocol Tunneling, Browser Session Hijacking, Modify Registry, Windows Remote Management, LSASS Memory, Distributed Component Object Model, System Network Configuration Discovery, Office Template Macros, File and Directory Discovery, System Network Connections Discovery, Token Impersonation/Theft, Make and Impersonate Token, Process Discovery, Parent PID Spoofing, PowerShell, Multiband Communication, File Transfer Protocols, Local Groups, Disable or Modify Tools, Indicator Removal from Tools, Process Hollowing, Exploitation for Privilege Escalation, Obfuscated Files or Information, Exploitation for Client Execution, Asymmetric Cryptography, Non-Application Layer Protocol, Protocol or Service Impersonation, Query Registry, Data Transfer Size Limits, Domain Accounts, BITS Jobs, Domain Fronting, Python, Windows Command Shell, Web Protocols, Visual Basic, Remote System Discovery, Network Service Discovery, Software Discovery, Pass the Hash, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection, Internal Proxy, Custom Command and Control Protocol, Commonly Used Port, Local Accounts, Process Argument Spoofing

References

  1. CrowdStrike. (2021, September 30). Adversary Profile - Ricochet Chollima. Retrieved September 30, 2021.
  2. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  3. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
  4. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
  5. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  6. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
  7. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  8. Raiu, C., and Ivanov, A. (2016, June 17). Operation Daybreak. Retrieved February 15, 2018.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.