APT37 (G0067) is a suspected North Korean cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, Northern Korean Human Rights, and Evil New Year 2018.
North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea. Some organizations track North Korean clusters or groups such as Bluenoroff, APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.
Name: Reaper (FireEye) TEMP.Reaper (FireEye) APT 37 (Mandiant) Ricochet Chollima (CrowdStrike) ScarCruft (Kaspersky) Thallium (Microsoft) Group 123 (Talos) Red Eyes (AhnLab) Geumseong121 (ESRC) Venus 121 (ESRC) Hermit (Tencent) ATK 4 (Thales) ITG10 (IBM)
Location: North Korea
Suspected attribution: State-sponsored
Date of initial activity: 2012
Targets: Primarily South Korea – though also Japan, Vietnam and the Middle East – in various industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive, and healthcare.
Motivation: Espionage, Surveillance
Associated tools: CARROTBALL, CARROTBAT, CORALDECK, DOGCALL, Erebus, Final1stSpy, Freenki Loader, GELCAPSULE, GreezeBackdoor, HAPPYWORK, KARAE, KevDroid, Konni, MILKDROP, N1stAgent, NavRAT, Nokki, Oceansalt, PoohMilk Loader, POORAIM, RokRAT, RICECURRY, RUHAPPY, ScarCruft, SHUTTERSPEED, SLOWDRIFT, SOUNDWAVE, Syscon, WINERACK, ZUMKONG and several 0-day Flash and MS Office exploits.
Attack vectors: Initial Infection Tactics: Social engineering tactics tailored specifically to desired targets, strategic web compromises typical of targeted cyberespionage operations, and the use of torrent file-sharing sites to distribute malware more indiscriminately. Spear phishing emails combined with malicious HWP documents created using Hancom Hangul Office Suite
How they work: Exploited Vulnerabilities: Frequent exploitation of vulnerabilities in Hangul Word Processor (HWP), as well as Adobe Flash. The group has demonstrated access to zero-day vulnerabilities (CVE-2018-0802), and the ability to incorporate them into operations. Command and Control Infrastructure: Compromised servers, messaging platforms, and cloud service providers to avoid detection. The group has shown increasing sophistication by improving their operational security over time. Malware: A diverse suite of malware for initial intrusion and exfiltration. Along with custom malware used for espionage purposes, APT37 also has access to destructive malware.
