Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа APT37
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
APT37
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

APT37

APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.(Citation: FireEye APT37 Feb 2018)(Citation: Securelist ScarCruft Jun 2016)(Citation: Talos Group123) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
ID: G0067
Associated Groups: Richochet Chollima, InkySquid, ScarCruft, Reaper, Group123, TEMP.Reaper
Version: 2.0
Created: 18 Apr 2018
Last Modified: 15 Oct 2021

Associated Group Descriptions
Name Description
Richochet Chollima (Citation: CrowdStrike Richochet Chollima September 2021)
InkySquid (Citation: Volexity InkySquid BLUELIGHT August 2021)
ScarCruft (Citation: Securelist ScarCruft Jun 2016)(Citation: FireEye APT37 Feb 2018)(Citation: Securelist ScarCruft May 2019)
Reaper (Citation: FireEye APT37 Feb 2018)
Group123 (Citation: FireEye APT37 Feb 2018)
TEMP.Reaper (Citation: FireEye APT37 Feb 2018)

Techniques Used
Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

APT37 has a function in the initial dropper to bypass Windows UAC in order to execute the next payload with higher privileges.(Citation: Securelist ScarCruft May 2019)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

APT37 uses HTTPS to conceal C2 communications.(Citation: Talos Group123)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

APT37's has added persistence via the Registry key HKCU\Software\Microsoft\CurrentVersion\Run\.(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123)
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

APT37 has used the command-line interface.(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123)
.005 Command and Scripting Interpreter: Visual Basic

APT37 executes shellcode and a VBA script to decode Base64 strings.(Citation: Talos Group123)

.006 Command and Scripting Interpreter: Python

APT37 has used Python scripts to execute payloads.(Citation: Volexity InkySquid RokRAT August 2021)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

APT37 has used a credential stealer known as ZUMKONG that can harvest usernames and passwords stored in browsers.(Citation: FireEye APT37 Feb 2018)
Enterprise T1561 .002 Disk Wipe: Disk Structure Wipe

APT37 has access to destructive malware that is capable of overwriting a machine's Master Boot Record (MBR).(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123)
Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

APT37 has used Windows DDE for execution of commands and a malicious VBS.(Citation: Securelist ScarCruft Jun 2016)
Enterprise T1036 .001 Masquerading: Invalid Code Signature

APT37 has signed its malware with an invalid digital certificates listed as “Tencent Technology (Shenzhen) Company Limited.”(Citation: Securelist ScarCruft Jun 2016)
Enterprise T1027 .003 Obfuscated Files or Information: Steganography

APT37 uses steganography to send images to users that are embedded with shellcode.(Citation: Talos Group123)(Citation: Securelist ScarCruft May 2019)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

APT37 delivers malware using spearphishing emails with malicious HWP attachments.(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123)(Citation: Securelist ScarCruft May 2019)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

APT37 has created scheduled tasks to run malicious scripts on a compromised host.(Citation: Volexity InkySquid RokRAT August 2021)
Enterprise T1204 .002 User Execution: Malicious File

APT37 has sent spearphishing attachments attempting to get a user to open them.(Citation: FireEye APT37 Feb 2018)
Enterprise T1102 .002 Web Service: Bidirectional Communication

APT37 leverages social networking sites and cloud platforms (AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, and Box) for C2.(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123)

Software
ID Name References Techniques
S0213 DOGCALL (Citation: FireEye APT37 Feb 2018) (Citation: Unit 42 Nokki Oct 2018) Keylogging, Screen Capture, Ingress Tool Transfer, Obfuscated Files or Information, Bidirectional Communication, Audio Capture
S0214 HAPPYWORK (Citation: FireEye APT37 Feb 2018) System Information Discovery, System Owner/User Discovery, Ingress Tool Transfer
S0215 KARAE (Citation: FireEye APT37 Feb 2018) Drive-by Compromise, Ingress Tool Transfer, System Information Discovery, Bidirectional Communication
S0218 SLOWDRIFT (Citation: FireEye APT37 Feb 2018) System Information Discovery, Bidirectional Communication, Ingress Tool Transfer
S0217 SHUTTERSPEED (Citation: FireEye APT37 Feb 2018) System Information Discovery, Ingress Tool Transfer, Screen Capture
S0219 WINERACK (Citation: FireEye APT37 Feb 2018) Process Discovery, System Owner/User Discovery, File and Directory Discovery, Application Window Discovery, Command and Scripting Interpreter, System Service Discovery, System Information Discovery
S0247 NavRAT (Citation: Talos NavRAT May 2018) Local Data Staging, Ingress Tool Transfer, Mail Protocols, Process Injection, System Information Discovery, Keylogging, Windows Command Shell, Registry Run Keys / Startup Folder, Process Discovery
S0216 POORAIM (Citation: FireEye APT37 Feb 2018) File and Directory Discovery, Screen Capture, Bidirectional Communication, Process Discovery, System Information Discovery, Drive-by Compromise
S0240 ROKRAT (Citation: Securelist ScarCruft May 2019) (Citation: Talos Group123) (Citation: Talos ROKRAT 2) (Citation: Talos ROKRAT) (Citation: Volexity InkySquid RokRAT August 2021) Modify Registry, Audio Capture, Query Registry, Credentials from Web Browsers, Keylogging, Native API, Debugger Evasion, Process Discovery, File Deletion, Visual Basic, Windows Credential Manager, Environmental Keying, Exfiltration Over C2 Channel, Spearphishing Attachment, Clipboard Data, Obfuscated Files or Information, System Checks, File and Directory Discovery, Ingress Tool Transfer, Deobfuscate/Decode Files or Information, Bidirectional Communication, Screen Capture, System Owner/User Discovery, Process Injection, System Information Discovery, Application Window Discovery, Data from Local System, Malicious File, Exfiltration to Cloud Storage, Web Protocols
S0212 CORALDECK (Citation: FireEye APT37 Feb 2018) Exfiltration Over Unencrypted Non-C2 Protocol, Archive via Utility, File and Directory Discovery
S0657 BLUELIGHT (Citation: Volexity InkySquid BLUELIGHT August 2021) System Network Configuration Discovery, Archive via Custom Method, System Owner/User Discovery, System Information Discovery, Ingress Tool Transfer, Obfuscated Files or Information, Exfiltration Over C2 Channel, Security Software Discovery, File Deletion, Bidirectional Communication, Steal Web Session Cookie, Credentials from Web Browsers, Process Discovery, Archive Collected Data, System Checks, File and Directory Discovery, Web Protocols, System Time Discovery, Screen Capture
S0355 Final1stspy (Citation: Unit 42 Nokki Oct 2018) Registry Run Keys / Startup Folder, Deobfuscate/Decode Files or Information, Obfuscated Files or Information, Process Discovery, System Information Discovery, Web Protocols
S0154 Cobalt Strike (Citation: cobaltstrike manual) (Citation: Volexity InkySquid BLUELIGHT August 2021) Domain Fronting, Sudo and Sudo Caching, Code Signing, Scheduled Transfer, JavaScript, Remote Desktop Protocol, Native API, Pass the Hash, Domain Accounts, Indicator Removal from Tools, Bypass User Account Control, System Network Configuration Discovery, Service Execution, PowerShell, Web Protocols, Application Layer Protocol, Data from Local System, Disable or Modify Tools, Dynamic-link Library Injection, Local Accounts, Multiband Communication, Keylogging, Distributed Component Object Model, Process Discovery, BITS Jobs, Process Hollowing, Software Discovery, Local Accounts, BITS Jobs, Remote Desktop Protocol, Internal Proxy, Exploitation for Privilege Escalation, Screen Capture, Process Argument Spoofing, Modify Registry, Domain Groups, System Network Connections Discovery, Protocol Impersonation, Parent PID Spoofing, Token Impersonation/Theft, Protocol Tunneling, Windows Service, Visual Basic, Native API, Parent PID Spoofing, Process Injection, System Service Discovery, Timestomp, System Network Configuration Discovery, SSH, File and Directory Discovery, DNS, Token Impersonation/Theft, DNS, Bypass User Account Control, Process Hollowing, Scheduled Transfer, Security Account Manager, Local Groups, PowerShell, SSH, Python, Reflective Code Loading, Remote System Discovery, LSASS Memory, Screen Capture, Commonly Used Port, Query Registry, Domain Account, Data Transfer Size Limits, Network Service Discovery, Pass the Hash, Domain Accounts, Network Share Discovery, Web Protocols, Asymmetric Cryptography, Windows Command Shell, Process Injection, Browser Session Hijacking, Deobfuscate/Decode Files or Information, Remote System Discovery, Visual Basic, Protocol Tunneling, Exploitation for Privilege Escalation, Windows Management Instrumentation, Keylogging, Browser Session Hijacking, Windows Remote Management, Symmetric Cryptography, Non-Application Layer Protocol, Standard Encoding, Ingress Tool Transfer, Indicator Removal from Tools, Domain Account, Internal Proxy, Service Execution, Windows Remote Management, SMB/Windows Admin Shares, Rundll32, Windows Service, Application Layer Protocol, Python, SMB/Windows Admin Shares, Windows Management Instrumentation, Security Account Manager, Make and Impersonate Token, Exploitation for Client Execution, Network Service Discovery, Timestomp, Distributed Component Object Model, Multiband Communication, Commonly Used Port, Network Share Discovery, Custom Command and Control Protocol, Process Discovery, Make and Impersonate Token, Data from Local System, Office Template Macros, Windows Command Shell, Obfuscated Files or Information

References

  1. Raiu, C., and Ivanov, A. (2016, June 17). Operation Daybreak. Retrieved February 15, 2018.
  2. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  3. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  4. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  5. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
  6. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
  7. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
  8. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
  9. CrowdStrike. (2021, September 30). Adversary Profile - Richochet Chollima. Retrieved September 30, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.