Story image

State-sponsored North Korean cyberespionage group continues to weaponize tactics

21 Feb 2018

The North Korean threat group known to some as Reaper (APT37) is eyeing bigger targets with more sophisticated tactics, and according to researchers from FireEye, the group may just be one of the world’s most overlooked threat actors connected to the North Korean government.

FireEye tracked a North Korean cyberespionage group behind an Adobe Flash exploit (CVE-2018-4878) earlier this month, which the team has now identified as Reaper.

“We assess with high confidence that this activity is carried out on behalf of the North Korean government given malware development artifacts and targeting that aligns with North Korean state interests. FireEye iSIGHT Intelligence believes that APT37 is aligned with the activity publicly reported as Scarcruft and Group123,” FireEye researchers state in a research report.

The group uses vulnerabilities in the popular software Hangul Word Processor due to its prevalence in South Korea, and zero-day vulnerabilities in Adobe Flash.

Since November 2017 Reaper has been exploiting the vulnerability to distribute DOGCALL malware to South Korean victims.

“Multiple South Korean websites were abused in strategic web compromises to deliver newer variants of KARAE and POORAIM malware. Identified sites included South Korean conservative media and a news site for North Korean refugees and defectors. In one instance, APT37 weaponized a video downloader application with KARAE malware that was indiscriminately distributed to South Korean victims through torrent websites,” the report says.

The group has been active since at least 2012 and has targeted many countries in Asia and the Middle East. It primarily targets South Korea – though also Japan, Vietnam and the Middle East – in various industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive, and healthcare.

Reaper has supposedly ramped up its scope and sophistication with tools that can access wiper malware and can also access zero-day vulnerabilities.

Reaper also uses spear phishing tactics, strategic web compromised and torrent file-sharing sites to distribute their malware.

According to FireEye, the group’s command and control infrastructure includes compromised servers, messaging platforms, and cloud service providers to avoid detection. The group has shown increasing sophistication by improving their operational security over time.

“APT37 has used various legitimate platforms as command and control for its malware tools. While some early campaigns leveraged POORAIM, which abused AOL Instant Messenger, newer activity deploys DOGCALL, which uses cloud storage APIs such as pCloud and Dropbox,” the report says.

FireEye researchers believe that Reaper will not disappear anytime soon, particularly as it now demonstrate a willingness to leverage its cyber capabilities for a variety of reasons. They also seem disinterested by international norms.

“We anticipate APT37 will be leveraged more and more in previously unfamiliar roles and regions, especially as pressure mounts on their sponsor.”

Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
Used device market held back by lack of data security regulations
Mobile device users are sceptical about trading in their old device because they are concerned that data on those devices may be accessed or compromised after they hand it over.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
Symantec acquires zero trust innovator Luminate Security
Luminate’s Secure Access Cloud is supposedly natively constructed for a cloud-oriented, perimeter-less world.
Palo Alto releases new, feature-rich firewall
Palo Alto is calling it the ‘fastest-ever next-generation firewall’ with integrated cloud-based DNS Security service to stop attacks.
The right to be forgotten online could soon be forgotten
Despite bolstering free speech and access to information, the internet can be a double-edged sword, because that access to information goes both ways.
Opinion: 4 Ransomware trends to watch in 2019
Recorded Future's Allan Liska looks at the past big ransomware attacks thus far to predict what's coming this year.
Red Box gains compliance boost with new partnership
By partnering with Global Relay, voice platform provider Red Box is improving the security of its offerings for high-value and risk voice data.