APT37

APT37 (Advanced Persistent Threat) is a hacking group that is likely to operate from North Korea. Experts speculate that APT37 may be financed by the North Korean government directly. This hacking group is also known as ScarCruft. Until 2017 APT37 concentrated almost all their efforts on targets located in South Korea. However, in 2017, the hacking group began expanding their reach and started launching campaigns in other East Asian states such as Japan and Vietnam. The APT37 has also had targets located in the Middle East. The hacking group is also known to collaborate with other ill-minded actors.

APT37 is meant to further North Korean interests, and thus their targets tend to be high-profile. The hacking group tends to target industries linked to automobile manufacturing, chemical production, aerospace, etc.

Propagation Methods

Cybersecurity experts have been observing APT37’s campaigns and have outlined several propagation methods, which are often implemented:

  • Spreading malware via torrent websites.
  • Launching spear-phishing email campaigns.
  • Using various social engineering techniques to trick users into downloading and executing corrupted files.
  • Infiltrating services and websites to hijack them and use them to spread malware.

APT37’s Arsenal of Tools

APT37 is a hacking group with a wide variety of tools at their disposal. Among the more popular hacking tools used by APT37 are:

  • NavRAT, a RAT or Remote Access Trojan, which packs a long list of features.
  • CORALDECK, a threat used for collecting files from the compromised host.
  • Karae, a backdoor Trojan that gathers data about the host system and enables the attackers to determine how to proceed with the attack.
  • DOGCALL, a backdoor Trojan, which resembles a RAT due to its capabilities.
  • ROKRAT, a RAT that can record audio, hijack login credentials, execute remote commands, etc.
  • ScarCruft Bluetooth Harvester, an Android-based threat that is used to collect information from the compromised device.
  • GELCAPSULE, a Trojan that is used for planting additional malware on the infected system.
  • MILKDRO, a backdoor, which tampers with the Windows Registry to gain persistence and operates very silently.
  • SHUTTERSPEED, a backdoor Trojan, which can take screenshots, siphon information regarding the software and hardware of the host, and deploy additional malware on the system.
  • RICECURRY, a piece of code written in JavaScript, which is injected into hijacked websites and is used for checking the fingerprint of the users visiting the page to determine if the attackers should execute the malware or not.
  • SLOWDRIFT, a Trojan downloader.
  • RUHAPPY, a disk wiper that exploits the MBR (Master Boot Record) of the user’s hard drive.
  • ZUMKONG, an infostealer that is compatible with the Google Chrome and Internet Explorer Web browsers.
  • SOUNDWAVE, a tool, which is capable of recording audio (via the microphone present on the system) and then sending the recording to the C&C (Command & Control) server of the attackers.

The APT37 hacking group is not one to be underestimated certainly, despite them not being the top cyber crook organization in North Korea. They continue to expand their hacking tool arsenal and launch campaigns against high-profile targets around the world so that we will likely continue hearing about their dealings.

APT37 Video

Tip: Turn your sound ON and watch the video in Full Screen mode.

Trending

Most Viewed

Loading...