When talking about threat groups and APTs from North Korea, we all know and “love” Lazarus groups.
But underneath the surface, over the years, another APT from North Korea was lurking and compromising victims from all over the world.
Background
APT37, aka Reaper, and tones of other names, is an APT based in North Korea, that is believed to be active since at least 2012.
The group is highly skilled and often exploit zero-days and use their own specialized, custom made, and ever-evolving malwares in their campaigns.
Techniques
As mentioned, almost in every documented campaign, the group was in responsible of several vulnerabilities each.
In addition, in a good amount of cases, they have leveraged other techniques such as spear-phishing and drive-by attacks (water hole attacks).
In addition, they group often tends to look to establish persistence in their victims’ network as most espionage groups.
Although the group excels on espionage, in few cases the group was witnessed applying more devastating techniques and malware such as wipers.
Victimology
Over the years, Reaper was documented focusing on several main countries, the most targeted was, act surprise, South Korea, Followed by the U.S. However, with a bit of a surprise, the group was also targeting Russia and even China in the past.
Among the the group’s victims, you can also find the UAE, India and Vietnam.
When it comes to the sectors, is targeting various types of sectors such as the financial sector, education, healthcare, manufacturing, government, you name it.
Campaigns
Although the group in responsible for many campaigns, I will obviously pick the ones with the coolest names to write about.
Evil New Year
APT37 has been identified as conducting cyber espionage on behalf of North Korea, leveraging a series of zero-day vulnerabilities to target various sectors and governments.
Although this group focuses primarily on South Korea, on this campiang, the group expanded its scope to include Japan, Vietnam, and the Middle East.
The group’s targeted encompass government entities and industrial sectors such as chemicals, military, electronics, aerospace, healthcare, and manufacturing.
The main objective in this campaign was to gather intelligence valuable to North Korea’s government. On this campaign, the group used phishing, and exploiting Adobe zero-day vulnerabilitie such as CVE-2018-4878 and CVE-2016-4117.
Operation FreeMilk
In May 2017, Palo Alto Networks Unit 42 identified a spear phishing campaign targeting various individuals across the world.
Reaper used a very popular Microsoft Word’s vulnerability, CVE-2017-0199, om a massive spear phishing emails campaign.
This campaign was mostly targeting entities in the Middle East, Europe and North East Asia including banks, services companies and high-profile individuals.
On this campaign the group used several custom made malwares. Among them, we can find PooMilk Loader and Freenki Loader
Operation Battle Cruise?
Operation Battle Cruise was mostly attributed to Lazarus group. However, investigations of this campaign lead to see that tools and techniques that are common to Reaper also took part in this campaign which leads to the possibility of a corporation between the two.
The operation took place on March 2018. It mostly contained massive amounts of spear phishing emails that were send to individuals and companies worldwide, exploiting several vulnerabilities in Word and Adobe such as CVE-2018-4878.
Not much is known about the victimology of this campaign. However, based on past operations, we can assume that the victims were mostly based on Western, or Western supporting countries.