← threatfilter.dev / all groups / APT37
APT37
Also known as: InkySquid · ScarCruft · Reaper · Group123 · TEMP.Reaper · Ricochet Chollima
Overview
APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018. North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
Targets
Government · Private sector
Regions
Japan · South Korea · Vietnam
Capabilities
- Destructive / data-wiping operations — ATT&CK T1561.002
- Exploitation of public-facing / client applications — ATT&CK T1203
- Custom malware/implant development — ATT&CK: 13 attributed custom malware families
TTPs — 29 techniques across 10 tactics
Initial Access
-
T1189Drive-by Compromise -
T1566.001Spearphishing Attachment
Execution
-
T1053.005Scheduled Task -
T1059Command and Scripting Interpreter -
T1059.003Windows Command Shell -
T1059.005Visual Basic -
T1059.006Python -
T1106Native API -
T1203Exploitation for Client Execution -
T1204.002Malicious File -
T1559.002Dynamic Data Exchange
Persistence
-
T1547.001Registry Run Keys / Startup Folder
Privilege Escalation
-
T1548.002Bypass User Account Control
Stealth
-
T1027Obfuscated Files or Information -
T1027.003Steganography -
T1036.001Invalid Code Signature -
T1055Process Injection
Credential Access
-
T1555.003Credentials from Web Browsers
Discovery
-
T1033System Owner/User Discovery -
T1057Process Discovery -
T1082System Information Discovery -
T1120Peripheral Device Discovery
Collection
-
T1005Data from Local System -
T1123Audio Capture
Command and Control
-
T1071.001Web Protocols -
T1102.002Bidirectional Communication -
T1105Ingress Tool Transfer
Impact
-
T1529System Shutdown/Reboot -
T1561.002Disk Structure Wipe
Tools & malware (13)
BLUELIGHT · CORALDECK · KARAE · SLOWDRIFT · ROKRAT · SHUTTERSPEED · POORAIM · HAPPYWORK · Final1stspy · Cobalt Strike · NavRAT · DOGCALL · WINERACK
Reporting (3)
- Adversary Profile - Ricochet Chollima — CrowdStrike
- North Korean APT InkySquid Infects Victims Using Browser Exploits — Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T
- ScarCruft continues to evolve, introduces Bluetooth harvester — GReAT