sb-as logo
Story image

State-sponsored North Korean cyberespionage group continues to weaponize tactics

21 Feb 2018

The North Korean threat group known to some as Reaper (APT37) is eyeing bigger targets with more sophisticated tactics, and according to researchers from FireEye, the group may just be one of the world’s most overlooked threat actors connected to the North Korean government.

FireEye tracked a North Korean cyberespionage group behind an Adobe Flash exploit (CVE-2018-4878) earlier this month, which the team has now identified as Reaper.

“We assess with high confidence that this activity is carried out on behalf of the North Korean government given malware development artifacts and targeting that aligns with North Korean state interests. FireEye iSIGHT Intelligence believes that APT37 is aligned with the activity publicly reported as Scarcruft and Group123,” FireEye researchers state in a research report.

The group uses vulnerabilities in the popular software Hangul Word Processor due to its prevalence in South Korea, and zero-day vulnerabilities in Adobe Flash.

Since November 2017 Reaper has been exploiting the vulnerability to distribute DOGCALL malware to South Korean victims.

“Multiple South Korean websites were abused in strategic web compromises to deliver newer variants of KARAE and POORAIM malware. Identified sites included South Korean conservative media and a news site for North Korean refugees and defectors. In one instance, APT37 weaponized a video downloader application with KARAE malware that was indiscriminately distributed to South Korean victims through torrent websites,” the report says.

The group has been active since at least 2012 and has targeted many countries in Asia and the Middle East. It primarily targets South Korea – though also Japan, Vietnam and the Middle East – in various industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive, and healthcare.

Reaper has supposedly ramped up its scope and sophistication with tools that can access wiper malware and can also access zero-day vulnerabilities.

Reaper also uses spear phishing tactics, strategic web compromised and torrent file-sharing sites to distribute their malware.

According to FireEye, the group’s command and control infrastructure includes compromised servers, messaging platforms, and cloud service providers to avoid detection. The group has shown increasing sophistication by improving their operational security over time.

“APT37 has used various legitimate platforms as command and control for its malware tools. While some early campaigns leveraged POORAIM, which abused AOL Instant Messenger, newer activity deploys DOGCALL, which uses cloud storage APIs such as pCloud and Dropbox,” the report says.

FireEye researchers believe that Reaper will not disappear anytime soon, particularly as it now demonstrate a willingness to leverage its cyber capabilities for a variety of reasons. They also seem disinterested by international norms.

“We anticipate APT37 will be leveraged more and more in previously unfamiliar roles and regions, especially as pressure mounts on their sponsor.”

Story image
Is cyber deception the latest SOC 'game changer'?
Cyber deception reduces data breach costs by more than 51% and Security Operations Centre (SOC) inefficiencies by 32%, according to a new research report by Attivo Networks and Kevin Fiscus of Deceptive Defense.More
Story image
Metallic adds data management and GDPR compliance
Now GDPR compliant, additions to the portfolio include eDiscovery features and support for Microsoft Hyper-V and Azure Blob and File storage.More
Story image
Jamf extends Microsoft collaboration with iOS Device Compliance
Organisations will soon be able to use Jamf for Apple ecosystem management while using Azure Active Directory and Microsoft Endpoint manager to maintain conditional access.More
Story image
Why it’s essential to re-write IT security for the cloud era
Key components of network security architecture for the cloud era should be built from the ground up, as opposed to being bolted on to legacy solutions built for organisations functioning only on-premises or from only managed devices.More
Story image
McAfee finds vulnerabilities in 'temi' the videoconferencing robot
Temi is commonly used in environments including businesses, healthcare, retail, hospitality, and other environments including the home.More
Story image
Report: 151% increase in DDoS attacks compared to 2019
It comes as the security risk profile for organisations around the world increased in large part thanks to the COVID-19 pandemic, forcing greater reliance on cloud technology and thrusting digital laggards into quick and unsecured migrations.More