APT37

APT37 is a North Korean state-sponsored espionage threat actor, also referred to in the provided content as ScarCruft, Reaper, Ricochet Chollima, InkySquid, Group123, Red Eyes, and Erebus. The content links the group to North Korean interests and notes reporting that associates it with the Reconnaissance General Bureau. ScarCruft/APT37 has operated since at least 2012 and primarily targets South Korea, while also targeting other Asian entities and individuals of interest to the North Korean regime. Reported targets in the provided content include government and military organizations, companies linked to North Korean interests, diplomatic and North Korean human rights organizations and people, journalists specializing in DPRK reporting, a South Korean online newspaper focused on North Korea, and users of a gaming platform serving the Yanbian region in China, likely to collect intelligence on refugees and defectors. The group uses spearphishing and watering-hole tradecraft. The content states APT37 delivers malware via spearphishing emails with malicious HWP attachments, and one campaign targeting journalists used phishing emails sent from a previously compromised account belonging to a former South Korean National Intelligence Service director. That campaign delivered ZIP archives containing oversized LNK files disguised as documents, which launched PowerShell scripts, displayed a decoy document, and retrieved shellcode from Microsoft OneDrive. The content also describes a watering-hole attack against a South Korean newspaper using an Internet Explorer exploit, shellcode, BLUELIGHT, and then the Dolphin backdoor on selected victims. Another reported campaign used malicious Hangul Word Processor EPS content exploiting CVE-2017-8291 and steganography to deploy M2RAT from a JPEG image. Separate reporting in the content notes attacks using Flash zero-days CVE-2016-4171 and CVE-2018-4878. The provided content attributes multiple malware families and tools to APT37/ScarCruft, including Goldbackdoor, BLUELIGHT, Dolphin, M2RAT, Freenki, ROKRAT, BirdCall, and the browser credential stealer ZUMKONG. Goldbackdoor is described as a successor to Bluelight and supports remote command execution, keylogging, file operations, self-uninstallation, and exfiltration through Google Drive and Microsoft OneDrive, using embedded API keys to authenticate to Azure for command retrieval. Dolphin is described as a Windows C++ backdoor used as a selective second-stage payload that communicates with Google Drive for command-and-control and exfiltration. It can collect host profiling data, search fixed drives, removable drives, and portable devices such as smartphones, steal browser passwords and cookies from Chrome, Edge, and Internet Explorer, log keystrokes, capture screenshots, execute shell commands, and receive shellcode for execution. Earlier Dolphin versions could also modify signed-in Google and Gmail account settings to enable IMAP and less secure app access. M2RAT is described as an evasive RAT supporting keylogging, screenshots, command execution, theft of files from Windows systems and connected portable devices, password-protected RAR staging, and shared-memory-based command-and-control and exfiltration to reduce forensic traces. Freenki is noted as listing running processes via the Windows API. The group is also reported to use a Bluetooth device harvester based on Windows Bluetooth APIs. Observed techniques in the content include use of social networking and cloud platforms for command-and-control, specifically AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, Box, Google Drive, Microsoft OneDrive, and Azure-backed services; persistence via HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry keys and scheduled tasks; command-line execution; Ruby scripts to execute payloads; process injection, including reported injection of ROKRAT into cmd.exe and M2RAT into explorer.exe; string and payload obfuscation; collection of data from victims' local systems; collection of computer name, BIOS model, execution path, usernames, local and external IP addresses, OS version, RAM details, installed security products, and debugger or inspection-tool checks; browser credential theft; keylogging; screenshot capture; and exfiltration of staged data, including encrypted ZIP archives. Recent activity in the provided content includes ESET reporting that ScarCruft compromised a gaming platform in a supply-chain attack affecting the Yanbian region in China, with associated Android BirdCall samples, a trojanized Mono library, a downloader leading to RokRAT, and Windows BirdCall-related malware. The content also states that APT37 was discovered targeting journalists specializing in the DPRK with the Goldbackdoor malware strain.