APT37
Associated Group Descriptions |
|
Name | Description |
---|---|
Ricochet Chollima | (Citation: CrowdStrike Richochet Chollima September 2021) |
Reaper | (Citation: FireEye APT37 Feb 2018) |
Group123 | (Citation: FireEye APT37 Feb 2018) |
TEMP.Reaper | (Citation: FireEye APT37 Feb 2018) |
ScarCruft | (Citation: Securelist ScarCruft Jun 2016)(Citation: FireEye APT37 Feb 2018)(Citation: Securelist ScarCruft May 2019) |
InkySquid | (Citation: Volexity InkySquid BLUELIGHT August 2021) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
APT37 has a function in the initial dropper to bypass Windows UAC in order to execute the next payload with higher privileges.(Citation: Securelist ScarCruft May 2019) |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
APT37 uses HTTPS to conceal C2 communications.(Citation: Talos Group123) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
APT37's has added persistence via the Registry key |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
APT37 has used the command-line interface.(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123) |
.005 | Command and Scripting Interpreter: Visual Basic |
APT37 executes shellcode and a VBA script to decode Base64 strings.(Citation: Talos Group123) |
||
.006 | Command and Scripting Interpreter: Python |
APT37 has used Python scripts to execute payloads.(Citation: Volexity InkySquid RokRAT August 2021) |
||
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
APT37 has used a credential stealer known as ZUMKONG that can harvest usernames and passwords stored in browsers.(Citation: FireEye APT37 Feb 2018) |
Enterprise | T1561 | .002 | Disk Wipe: Disk Structure Wipe |
APT37 has access to destructive malware that is capable of overwriting a machine's Master Boot Record (MBR).(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123) |
Enterprise | T1559 | .002 | Inter-Process Communication: Dynamic Data Exchange |
APT37 has used Windows DDE for execution of commands and a malicious VBS.(Citation: Securelist ScarCruft Jun 2016) |
Enterprise | T1036 | .001 | Masquerading: Invalid Code Signature |
APT37 has signed its malware with an invalid digital certificates listed as “Tencent Technology (Shenzhen) Company Limited.”(Citation: Securelist ScarCruft Jun 2016) |
Enterprise | T1027 | .003 | Obfuscated Files or Information: Steganography |
APT37 uses steganography to send images to users that are embedded with shellcode.(Citation: Talos Group123)(Citation: Securelist ScarCruft May 2019) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
APT37 delivers malware using spearphishing emails with malicious HWP attachments.(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123)(Citation: Securelist ScarCruft May 2019) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
APT37 has created scheduled tasks to run malicious scripts on a compromised host.(Citation: Volexity InkySquid RokRAT August 2021) |
Enterprise | T1204 | .002 | User Execution: Malicious File |
APT37 has sent spearphishing attachments attempting to get a user to open them.(Citation: FireEye APT37 Feb 2018) |
Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
APT37 leverages social networking sites and cloud platforms (AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, and Box) for C2.(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123) |
References
- Raiu, C., and Ivanov, A. (2016, June 17). Operation Daybreak. Retrieved February 15, 2018.
- FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
- Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
- GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
- Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
- Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
- Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
- Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
- CrowdStrike. (2021, September 30). Adversary Profile - Ricochet Chollima. Retrieved September 30, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.