GreezeBackdoor

The APT37, a group that is believed to been supported by the government of North Korea, is using one more weapon against computer users located in that country. This time it is a backdoor that attacks Android devices specifically and is dubbed GreezeBackdoor. The GreezeBackdoor's purpose is to collect data from devices connected to the infected machine through Bluetooth by using the Windows Bluetooth API. The favored method used by APT37 to introduce its threats into the targeted devices is by using unpatched vulnerabilities. To deliver GreezeBackdoor, they used the exploit CVE-2018-8120 or a technology named UACME to go pass. After that, it runs an installer that will generate a downloader that collects the closing payload, which is concealed on an image file. After this, the attackers can start collecting data, run commands and even other tools. The GreezeBackdoor also is linked to DarkHotel, which is a campaign to deliver malware and spear-phishing spyware to targeted business hotel customers via the WiFi network provided to the customers. The main function of the GreezeBackdoor is to harvest devices and use a multi-stage binary malware infection to upgrade its modules and avoid detection.

APT37 main focus is North Korea. However, it is attacking entities from various countries as long as they have a business connection to North Korea. Therefore, no one is safe from the APT37 vicious attacks. To prevent attacks like GreezeBackdoor private computer users and network admins need to take good care of their machines by providing them with strong security measures, which one of the most effective is updated security software.