top of page
Mitre
Alias
Operation �golden Bird�, Operation �high Expert�, Scarcruft, Group 123, Operation �evil New Year 2018�, Inkysquid, Operation �rocket Man�, Operation �freemilk�, Temp.reaper, Operation Erebus, Operation �star Cruiser�, Operation �stiff#bizon�, Atk4, Operation �black Banner�, Operation �north Korean Human Right�, Group123, Operation �korean Sword�, Operation �are You Happy?�, Operation �daybreak�, Moldy Pisces, G0067, Operation �evil New Year�, Reaper Group, Hermit, Apt37, Operation �holiday Wiper�, Reaper, Operation �spy Cloud�, Venus 121, Operation Daybreak, Operation �fractured Block�, Ricochet Chollima, Operation �onezero�, Red Eyes, Operation �dragon Messenger�, Itg10, Operation �battle Cruiser�, Operation �fractured Statue�, Atk 4, Operation �golden Time�, Operation �erebus�, Geumseong121, Thallium, Cerium, Apt 37, Ruby Sleet
Country
North Korea
Sponsor
Korea (democratic People's Republic Of). State-sponsored, State-sponsored
Motivation
Information Theft And Espionage
First Seen
2012
Description
Some research organizations link this group to {{Lazarus Group, Hidden Cobra, Labyrinth Chollima}}.
(FireEye) Read our report, APT37 (Reaper): The Overlooked North Korean Actor, to learn more about our assessment that this threat actor is working on behalf of the North Korean government, as well as various other details about their operations:
� Targeting: Primarily South Korea � though also Japan, Vietnam and the Middle East � in various industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive, and healthcare.
� Initial Infection Tactics: Social engineering tactics tailored specifically to desired targets, strategic web compromises typical of targeted cyberespionage operations, and the use of torrent file-sharing sites to distribute malware more indiscriminately.
� Exploited Vulnerabilities: Frequent exploitation of vulnerabilities in Hangul Word Processor (HWP), as well as Adobe Flash. The group has demonstrated access to zero-day vulnerabilities (CVE-2018-0802), and the ability to incorporate them into operations.
� Command and Control Infrastructure: Compromised servers, messaging platforms, and cloud service providers to avoid detection. The group has shown increasing sophistication by improving their operational security over time.
� Malware: A diverse suite of malware for initial intrusion and exfiltration. Along with custom malware used for espionage purposes, APT37 also has access to destructive malware.
Targeted
Industries
Government, Aerospace, Chemical, Financial, High-tech, Private Sector, Manufacturing, Healthcare, Technology, Automotive, Transportation
Targeted
Countries
Usa, Russia, Kuwait, Nepal, Uk, Hong Kong, Republic Of Korea, Japan, Czech, Vietnam, Poland, India, South Korea, Romania, China
Tools
Zumkong
Scarcruft
Winerack
Soundwave
Goldbackdoor
Cobalt
N1stagent
Navrat
Shutterspeed
Freenki Loader
Slowdrift
Freenki
Bluelight
Ruhappy
Several 0-day Flash And Ms Office Exploits
Konni
Dolphin
Greezebackdoor
Karae
Gelcapsule
Poohmilk Loader
Pooraim
Cobalt Strike
Final1stspy
Coraldeck
Poohmilk
Syscon
Dogcall
Carrotbat
Happywork
Milkdrop
Oceansalt
Carrotball
Rokrat
Kevdroid
Erebus
Ricecurry
Nokki
TTP
T1204.002
T1059.006
T1555.003
T1055
T1529
T1548
T1053
T1036
T1120
T1203
T1561
T1123
T1057
T1082
T1204
T1555
T1566
T1033
T1027
T1071
T1559.002
T1102.002
T1548.002
T1105
T1059.003
T1566.001
T1189
T1102
T1071.001
T1059.005
T1059
T1036.001
T1547
T1547.001
T1559
T1005
T1027.003
T1053.005
T1561.002
T1106
Operations
Performed
[2012] spying On South Korean Users.)
[2016] operation �erebus� (https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/erebus-linux-ransomware-impact-to-servers-and-countermeasures)
[2016-03] operation �daybreak� (target: High Profile Victims. (method: Previously Unknown (0-day) Adobe Flash Player Exploit. It Is Also Possible That The Group Deployed Another Zero Day Exploit, Cve-2016-0147, Which Was Patched In April. (https://securelist.com/operation-daybreak/75100/ (note: Not The Same Operation As darkhotel�s Operation �daybreak�.)
[2016-08] operation �golden Time� (target: South Korean Users. (method: Spear-phishing Emails Combined With Malicious Hwp Documents Created Using Hancom Hangul Office Suite)
[2016-11] operation �evil New Year� (target: South Korean Users. (method: Spear-phishing Emails Combined With Malicious Hwp Documents Created Using Hancom Hangul Office Suite.)
[2017-03] operation �are You Happy?� (target: South Korean Users. (method: Not Only To Gain Access To The Remote Infected Systems But To Also Wipe The First Sectors Of The Device.)
[2017-05] operation �freemilk� (target: Several Non-korean Financial Institutions. (method: A Malicious Microsoft Office Document, A Deviation From Their Normal Use Of Hancom Documents. (https://unit42.paloaltonetworks.com/unit42-freemilk-highly-targeted-spear-phishing-campaign/)
[2017-11] operation �north Korean Human Right� (target: South Korean Users. (method: Spear-phishing Emails Combined With Malicious Hwp Documents Created Using Hancom Hangul Office Suite.)
[2017-12] operation �fractured Block� (https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/)
[2018-01] operation �evil New Year 2018� (target: South Korean Users. (method: Spear-phishing Emails Combined With Malicious Hwp Documents Created Using Hancom Hangul Office Suite.)
[2018-03] operation �battle Cruiser� (https://blog.alyac.co.kr/1625)
[2018-04] operation �star Cruiser� (http://blog.alyac.co.kr/1653)
[2018-05] operation �onezero� (https://brica.de/alerts/alert/public/1215993/analysis-of-apt-attack-on-operation-onezero-conducted-as-a-document-on-panmunjom-declaration/)
[2018-08] operation �rocket Man� (https://brica.de/alerts/alert/public/1226363/the-latest-apt-campaign-of-venus-121-group-operation-rocket-man/)
[2018-11] operation �korean Sword� (https://brica.de/alerts/alert/public/1252896/venus-121-apt-organization-operation-high-expert/)
[2019-01] operation �holiday Wiper� (https://brica.de/alerts/alert/public/1252896/venus-121-apt-organization-operation-high-expert/)
[2019-03] operation �golden Bird� (https://brica.de/alerts/alert/public/1252896/venus-121-apt-organization-operation-high-expert/)
[2019-03] operation �high Expert� (https://brica.de/alerts/alert/public/1252896/venus-121-apt-organization-operation-high-expert/)
[2019-04] operation �black Banner� (https://brica.de/alerts/alert/public/1257351/venus-121-rocketman-campaign-operation-black-banner-apt-attack/)
[2019-05] we Recently Discovered Some Interesting Telemetry On This Actor, And Decided To Dig Deeper Into Scarcruft�s Recent Activity. This Shows That The Actor Is Still Very Active And Constantly Trying To Elaborate Its Attack Tools. Based On Our Telemetry, We Can Reassemble Scarcruft�s Binary Infection Procedure. It Used A Multi-stage Binary Infection To Update Each Module Effectively And Evade Detection. (https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/)
[2019-07] operation �fractured Statue� (https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/)
[2019-09] operation �dragon Messenger� (https://blog.alyac.co.kr/attachment/cfile1.uf@99a46a405dc8e3031c9e2a.pdf)
[2020-01] north Korean Apt Used Vba Self Decode Technique To Inject Rokrat (https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/)
[2020-03] operation �spy Cloud� (https://blog.alyac.co.kr/attachment/cfile8.uf@9977cf405e81a09b1c4ce2.pdf)
[2020-12] north Korean Software Supply Chain Attack Targets Stock Investors (https://www.bleepingcomputer.com/news/security/north-korean-software-supply-chain-attack-targets-stock-investors/ (https://blog.alyac.co.kr/3489)
[2021-03] scarcruft Surveilling North Korean Defectors And Human Rights Activists (https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/)
[2021-04] north Korean Apt Inkysquid Infects Victims Using Browser Exploits (https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/ (https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/)
[2021-04] who�s Swimming In South Korean Waters? Meet Scarcruft�s Dolphin (https://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/)
[2021-07] new Variant Of Konni Malware Used In Campaign Targetting Russia (https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/)
[2021-12] north Korean Hackers Target Russian Diplomats Using New Year Greetings (https://therecord.media/north-korean-hackers-attack-russian-diplomats-using-new-year-greetings/ (https://blog.lumen.com/new-konni-campaign-targeting-russian-ministry-of-foreign-affairs/)
[2022-01] konni Evolves Into Stealthier Rat (https://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/)
[2022-03] the Ink-stained Trail Of Goldbackdoor (https://stairwell.com/news/threat-research-the-ink-stained-trail-of-goldbackdoor/)
[2022-07] operation �stiff#bizon� (the Securonix Threat Research (str) Team Has Been Observing And Investigating A New Attack Campaign Exploiting High-value Targets, Including Czech Republic, Poland, And Other Countries. (https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/)
[2022-09] meeting The �ministrer� (https://www.fortinet.com/blog/threat-research/konni-rat-phishing-email-deploying-malware)
[2022-10] internet Explorer 0-day Exploited By North Korean Actor Apt37 (https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/)
[2023-01] redeyes Hackers Use New Malware To Steal Data From Windows, Phones (https://www.bleepingcomputer.com/news/security/redeyes-hackers-use-new-malware-to-steal-data-from-windows-phones/)
[2023-02] hwp Malware Using The Steganography Technique: Redeyes (scarcruft) (https://asec.ahnlab.com/en/48063/)
[2023-03] chm Malware Disguised As Security Email From A Korean Financial Company: Redeyes (scarcruft) (https://asec.ahnlab.com/en/49089/)
[2023-04] rokrat Malware Distributed Through Lnk Files (*.lnk): Redeyes (scarcruft) (https://asec.ahnlab.com/en/51751/
Counter
Operations
'date': '2019-12', 'activity': 'on December 27, A U.s. District Court Unsealed Documents Detailing Work Microsoft Has Performed To Disrupt Cyberattacks From A Threat Group We Call Thallium, Which Is Believed To Operate From North Korea. Our Court Case Against Thallium, Filed In The U.s. District Court For The Eastern District Of Virginia, Resulted In A Court Order Enabling Microsoft To Take Control Of 50 Domains That The Group Uses To Conduct Its Operations. (https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/', 'date': '2023-03', 'activity': 'the Unintentional Leak: A Glimpse Into The Attack Vectors Of Apt37 (https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37'
Information
https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf
https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html
https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/
https://global.ahnlab.com/global/upload/download/techreport/%5BAhnLab%5D%20Red_Eyes_Hacking_Group_Report%20(1).pdf
https://exchange.xforce.ibmcloud.com/threat-group/guid:ebf490b366269368dda52acaf34e7d38
https://thorcert.notion.site/TTPs-ScarCruft-Tracking-Note-67acee42e4ba47398183db9fc7792aff
bottom of page