Story image

State-sponsored North Korean cyberespionage group continues to weaponize tactics

21 Feb 18

The North Korean threat group known to some as Reaper (APT37) is eyeing bigger targets with more sophisticated tactics, and according to researchers from FireEye, the group may just be one of the world’s most overlooked threat actors connected to the North Korean government.

FireEye tracked a North Korean cyberespionage group behind an Adobe Flash exploit (CVE-2018-4878) earlier this month, which the team has now identified as Reaper.

“We assess with high confidence that this activity is carried out on behalf of the North Korean government given malware development artifacts and targeting that aligns with North Korean state interests. FireEye iSIGHT Intelligence believes that APT37 is aligned with the activity publicly reported as Scarcruft and Group123,” FireEye researchers state in a research report.

The group uses vulnerabilities in the popular software Hangul Word Processor due to its prevalence in South Korea, and zero-day vulnerabilities in Adobe Flash.

Since November 2017 Reaper has been exploiting the vulnerability to distribute DOGCALL malware to South Korean victims.

“Multiple South Korean websites were abused in strategic web compromises to deliver newer variants of KARAE and POORAIM malware. Identified sites included South Korean conservative media and a news site for North Korean refugees and defectors. In one instance, APT37 weaponized a video downloader application with KARAE malware that was indiscriminately distributed to South Korean victims through torrent websites,” the report says.

The group has been active since at least 2012 and has targeted many countries in Asia and the Middle East. It primarily targets South Korea – though also Japan, Vietnam and the Middle East – in various industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive, and healthcare.

Reaper has supposedly ramped up its scope and sophistication with tools that can access wiper malware and can also access zero-day vulnerabilities.

Reaper also uses spear phishing tactics, strategic web compromised and torrent file-sharing sites to distribute their malware.

According to FireEye, the group’s command and control infrastructure includes compromised servers, messaging platforms, and cloud service providers to avoid detection. The group has shown increasing sophistication by improving their operational security over time.

“APT37 has used various legitimate platforms as command and control for its malware tools. While some early campaigns leveraged POORAIM, which abused AOL Instant Messenger, newer activity deploys DOGCALL, which uses cloud storage APIs such as pCloud and Dropbox,” the report says.

FireEye researchers believe that Reaper will not disappear anytime soon, particularly as it now demonstrate a willingness to leverage its cyber capabilities for a variety of reasons. They also seem disinterested by international norms.

“We anticipate APT37 will be leveraged more and more in previously unfamiliar roles and regions, especially as pressure mounts on their sponsor.”

Palo Alto Networks integrates RedLock and VM-Series with AWS Security Hub
AWS Security Hub is designed to provide users with a comprehensive view of their high-priority security alerts and compliance status.
Juniper simplifies data integration to improve threat detection
Updates to the Juniper Advanced Threat Prevention Appliances leverage third-party firewalls and security data sources.
Is mobile shopping compromising your enterprise security?
When employees do their holiday shopping on company resources, security teams have a challenge with the surge in browsing and online transactions.
Different approach to malware detection needed – VMware
Security needs to move away from the traditional approach of chasing after arbitrary forms of malware.
Modernising ERP systems can help organisations comply with GDPR
“Organisations need to look for modern ERP systems that are specifically designed with GDPR in mind."
Cyber attacks develop complexity, target Windows sysad tools - report
The report explores changes in the threat landscape over the past year, uncovering trends and how they are expected to impact cybersecurity in 2019.
DanaBot banking Trojan: How to protect your organisation
DanaBot is a Trojan written in the Delphi programming language that includes banking site web injections and stealer functions.
Ping Identity announces new Identity-as-a-Service solution
PingOne for Customers is built for the developer community and provides API-based identity services for customer-facing applications.