APT37: Inside the Toolset of an Elite North Korean Hacker Group

North Korea’s most prolific hacking group, broadly known within the security community under the name Lazarus, has over the last half-decade proven itself one of the world’s most internationally aggressive teams of intruders. It has pulled off audacious attacks around the globe, from leaking and destroying Sony Pictures’ data to siphoning of tens of millions of dollars from banks in Poland and Bangladesh. Now, security researchers have detailed the capabilities of a far more obscure North Korean group, with its own distinct and diverse hacking arsenal.

Tuesday, security firm FireEye released a new report describing a group of sophisticated state-sponsored hackers it calls APT37—also known by the names ScarCruft and Group123—that it has followed for the last three years, tracing the operation to North Korea. The company notes that the hackers have, for the most part, remained focused on South Korea targets, which has allowed the team to keep a far lower profile than Lazarus. But FireEye says APT37 isn’t necessarily any less skillful or well-resourced. It has used a broad range of penetration techniques, and has planted custom-coded malware on victims’ computers capable of everything from eavesdropping via an infected PC’s microphone to Sony-style data-wiping attacks.

“We believe this is the next team to watch,” says John Hultquist, FireEye’s director of intelligence analysis. “This operator has continued to operate in a cloud of obscurity, mostly because they’ve stayed regional. But they’re showing all the signs of a maturing asset that’s commanded by the North Korean regime and can be turned to any purpose it wants.”

Hultquist adds that FireEye is flagging APT37 now in part because it has observed the group branching out from attacking South Korean companies, human rights groups, individuals involved in the Olympics and North Korean defectors. It also recently struck a Japanese organization associated with the United Nations’ enforcement of sanctions, the director of a Vietnamese transport and trading firm, and a Middle Eastern business that found itself in a dispute with the North Korean government over a deal gone wrong, FireEye says, while declining to share more information on APT37’s victims.

“They’re making moves outside of South Korea, which is very disconcerting, given their level of aggression,” Hultquist says.

read the full info here
Discover More
click resources
over here
like this
Learn More
site web
navigate to this web-site
pop over to this website
Get the facts
our website
great site
try this out
visit the website
you could look here
go to this site
website link
read this
official statement
check out the post right here
additional info
my link
additional reading
important source
you can check here
this link
see post
click reference
visit site
look here
try this web-site
Going Here
click to read
check this site out
go to website
you can look here
read more
use this link
a knockout post
best site
blog here
her explanation
discover this info here
he has a good point
check my source
straight from the source
go to my blog
hop over to these guys
find here
click to investigate
look at here now
here are the findings
click to find out more
important site
click here to investigate
browse around this site
click for more
why not try here
important link
hop over to this web-site
my website
browse around here
Recommended Site
Your Domain Name
Web Site
click this site
hop over to this site
i was reading this
click here to read
read here
i loved this
my blog
click now
you can try these out
informative post
top article
useful site
click this over here now
moved here
about his
navigate to this site
click this
click here for more info

APT37’s Arsenal

In its analysis of APT37, FireEye provides a rare breakdown of the hacker group’s entire known toolset, from initial infection to final payload. Earlier this month, security firms tracked the group using a zero-day vulnerability in Adobe Flash to spread malware via websites, an unusual use of a still-secret and then-unpatched software flaw. But in the past, the group has also exploited non-zero-day Flash vulnerabilities that victims have been slow to patch, lingering flaws in the popular Korean Hangul word processor to infect computers via malicious attachments, and even BitTorrent, indiscriminately uploading malware-infected software to piracy sites to trick unwitting users into downloading and installing it.

Once it finds an initial foothold on a victim’s machine, APT37 has a diverse grab bag of spy tools at its disposal. It has installed malware that FireEye calls DogCall, ShutterSpeed, and PoorAim, all of which have the capability of stealing screenshots of a victim’s computer, logging keystrokes, or digging through their files. Another malware sample, ZumKong, is designed to steal credentials out of browser memory. A tool called CoralDeck compresses files and extracts them to the attacker’s remote server. And a piece of spyware FireEye calls SoundWave takes over a victim’s PC microphone to silently record and store eavesdropped audio logs.

Perhaps most disturbing, Hultquist notes, is that APT37 has in some cases also dropped a tool that FireEye calls RUHappy, which has the potential to destroy systems. That wiper malware deletes a portion of the computer’s master boot record and restarts the computer so that it’s left fully paralyzed, displaying only the words “Are You Happy?” on the screen. FireEye notes that it’s never actually seen that malware triggered on a victim’s network—only installed and left as a threat. But Cisco’s Talos researchers noted in their own detailed report on APT37 last month that a 2014 attack on a Korean power plant had indeed left that three-word message on wiped machines, though they weren’t able to otherwise tie that attack to APT37.

Opsec Slipups

If anything about APT37 is less than professional, it may be the group’s own operational security. FireEye’s researchers were able to definitively trace the group to North Korea in part due to an embarrassing slip-up. In 2016, FireEye found that one of the group’s developers seemed to have infected himself or herself with one of the group’s own spyware tools, potentially during testing. That spyware then uploaded a collection of files from the malware developer’s own computer to a command-and-control server, along with a record of the developer’s IP address in Pyongyang. Even worse, that server was also left unprotected, allowing FireEye to discover it by reverse-engineering APT37’s malware and then access all the files stored there, including those of the group’s own sloppy coder.

“That was a very fortunate event, and a fairly rare one,” Hultquist says. The discovery, along with an analysis of the compile times of the group’s programs, shared infrastructure and code between different tools, and its perpetual targeting of North Korean adversaries allowed FireEye to confidently link all of APT37’s activities to the North Korean government.

Leave a Reply

Your email address will not be published.