APT37 | APT Profile

Description

[APT37](https://attack.mitre.org/groups/G0067) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. [APT37](https://attack.mitre.org/groups/G0067) has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.(Citation: FireEye APT37 Feb 2018)(Citation: Securelist ScarCruft Jun 2016)(Citation: Talos Group123) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.

Techniques Used (TTPs)

T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
T1120 — Peripheral Device Discovery (discovery)
T1059.006 — Python (execution)
T1105 — Ingress Tool Transfer (command-and-control)
T1071.001 — Web Protocols (command-and-control)
T1027.003 — Steganography (defense-evasion)
T1102.002 — Bidirectional Communication (command-and-control)
T1082 — System Information Discovery (discovery)
T1204.002 — Malicious File (execution)
T1036.001 — Invalid Code Signature (defense-evasion)
T1548.002 — Bypass User Account Control (privilege-escalation, defense-evasion)
T1033 — System Owner/User Discovery (discovery)
T1555.003 — Credentials from Web Browsers (credential-access)
T1529 — System Shutdown/Reboot (impact)
T1005 — Data from Local System (collection)
T1559.002 — Dynamic Data Exchange (execution)
T1106 — Native API (execution)
T1203 — Exploitation for Client Execution (execution)
T1055 — Process Injection (defense-evasion, privilege-escalation)
T1027 — Obfuscated Files or Information (defense-evasion)
T1189 — Drive-by Compromise (initial-access)
T1057 — Process Discovery (discovery)
T1059 — Command and Scripting Interpreter (execution)
T1059.003 — Windows Command Shell (execution)
T1566.001 — Spearphishing Attachment (initial-access)
T1123 — Audio Capture (collection)
T1059.005 — Visual Basic (execution)
T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
T1561.002 — Disk Structure Wipe (impact)

Total TTPs: 29

Malware & Tools

Malware: BLUELIGHT, CORALDECK, Cobalt Strike, DOGCALL, Final1stspy, HAPPYWORK, KARAE, NavRAT, POORAIM, ROKRAT, SHUTTERSPEED, SLOWDRIFT, WINERACK

← Return to Home ← Back to APT Search