- Feb 4, 2016
- 2,520
A lesser-known North Korean cyber-espionage outfit has become more active on the international scene in 2017, after spending the previous five years targeting only South Korean government agencies and North Korean defectors.
A history of the group's activities, which have been going on since 2012, have been compiled in a report released yesterday by US cyber-security company FireEye.
Lazarus Group's smaller brother
The report refers to the group by the codename of APT37 (also Reaper), but other companies track it as Group123 (Cisco Talos), FreeMilk (Palo Alto Networks), or StarCruft, Operation Daybreak, Operation Erebus (Kaspersky Lab).
The group has been quite active, but because it targeted mainly South Korean targets, it has not received the same amount of press coverage that fellow North Korean hacking group Lazarus Group has received.
Fair enough, hacking Sony Movie Pictures and a bunch of banks across the world, gets you more attention than going after North Korean defectors and small-time South Korean government agencies.
Group expands activity to international targets
But Lazarus Group will now have a rival for media coverage, and the reason is that APT37 has expanded its operations to include foreign targets.
New targets targeted in 2017 and 2018 include companies and government agencies in Japan, Vietnam and many Middle East countries. FireEye says it detected APT37 attacks right after business deals between North Korea and companies in Vietnam and the Middle East went sideway.
..
-----
---
APT37 has created a lot of custom malware
At the technical level, the group is no slouch either. APT37 has been credited with creating multiple malware families in the past six years. In fact, it was APT37 behind the recent Adobe Flash Player zero-day Bleeping Computer wrote about at the start of the month.
The FireEye report paints a pretty good picture of how the group often relied on Flash vulnerabilities to infect targets, and how they varied their operations for different targets.
APT37 created several malware families across the years, ranging from backdoors to data wipers. They also used an ever-shifting infrastructure, relying on AOL Instant Messenger, pCloud, and Dropbox for their command-and-control servers, and on spear-phishing, hacked websites, and torrent files for spreading their malicious payloads.
Their malware and exploit arsenal is also something to behold, the group being behind several interesting and quite well-built tools, such as:
...
.......
..
..............