APT37: Inside the Toolset of an Elite North Korean Hacker Group
Credit to Author: Andy Greenberg| Date: Tue, 20 Feb 2018 12:30:00 +0000
North Korea's most prolific hacking group, broadly known within the security community under the name Lazarus, has over the last half-decade proven itself one of the world's most internationally aggressive teams of intruders. It has pulled off audacious attacks around the globe, from leaking and destroying Sony Pictures' data to siphoning of tens of millions of dollars from banks in Poland and Bangladesh. Now, security researchers have detailed the capabilities of a far more obscure North Korean group, with its own distinct and diverse hacking arsenal.
Tuesday, security firm FireEye released a new report describing a group of sophisticated state-sponsored hackers it calls APT37—also known by the names ScarCruft and Group123—that it has followed for the last three years, tracing the operation to North Korea. The company notes that the hackers have, for the most part, remained focused on South Korea targets, which has allowed the team to keep a far lower profile than Lazarus. But FireEye says APT37 isn't necessarily any less skillful or well-resourced. It has used a broad range of penetration techniques, and has planted custom-coded malware on victims' computers capable of everything from eavesdropping via an infected PC's microphone to Sony-style data-wiping attacks.
"We believe this is the next team to watch," says John Hultquist, FireEye's director of intelligence analysis. "This operator has continued to operate in a cloud of obscurity, mostly because they’ve stayed regional. But they’re showing all the signs of a maturing asset that’s commanded by the North Korean regime and can be turned to any purpose it wants."
Hultquist adds that FireEye is flagging APT37 now in part because it has observed the group branching out from attacking South Korean companies, human rights groups, individuals involved in the Olympics and North Korean defectors. It also recently struck a Japanese organization associated with the United Nations' enforcement of sanctions, the director of a Vietnamese transport and trading firm, and a Middle Eastern business that found itself in a dispute with the North Korean government over a deal gone wrong, FireEye says, while declining to share more information on APT37's victims.
"They're making moves outside of South Korea, which is very disconcerting, given their level of aggression," Hultquist says.
In its analysis of APT37, FireEye provides a rare breakdown of the hacker group's entire known toolset, from initial infection to final payload. Earlier this month, security firms tracked the group using a zero-day vulnerability in Adobe Flash to spread malware via websites, an unusual use of a still-secret and unpatched software flaw. But in the past, the group has also exploited non-zero-day Flash vulnerabilities that victims have been slow to patch, lingering flaws in the popular Korean Hangul word processor to infect computers via malicious attachments, and even BitTorrent, indiscriminately uploading malware-infected software to piracy sites to trick unwitting users into downloading and installing it.
'We believe this is the next team to watch.
John Hultquist, FireEye
Once it finds an initial foothold on a victim's machine, APT37 has a diverse grab bag of spy tools at its disposal. It has installed malware that FireEye calls DogCall, ShutterSpeed, and PoorAim, all of which have the capability of stealing screenshots of a victim's computer, logging keystrokes, or digging through their files. Another malware sample, ZumKong, is designed to steal credentials out of browser memory. A tool called CoralDeck compresses files and extracts them to the attacker's remote server. And a piece of spyware FireEye calls SoundWave takes over a victim's PC microphone to silently record and store eavesdropped audio logs.
Perhaps most disturbing, Hultquist notes, is that APT37 has in some cases also dropped a tool that FireEye calls RUHappy, which has the potential to destroy systems. That wiper malware deletes a portion of the computer's master boot record and restarts the computer so that it's left fully paralyzed, displaying only the words "Are You Happy?" on the screen. FireEye notes that it's never actually seen that malware triggered on a victim's network—only installed and left as a threat. But Cisco's Talos researchers noted in their own detailed report on APT37 last month that a 2014 attack on a Korean power plant had indeed left that three-word message on wiped machines, though they weren't able to otherwise tie that attack to APT37.
If anything about APT37 is less than professional, it may be the group's own operational security. FireEye's researchers were able to definitively trace the group to North Korea in part due to an embarrassing slip-up. In 2016, FireEye found that one of the group's developers seemed to have infected himself or herself with one of the group's own spyware tools, potentially during testing. That spyware then uploaded a collection of files from the malware developer's own computer to a command-and-control server, along with a record of the developer's IP address in Pyongyang. Even worse, that server was also left unprotected, allowing FireEye to discover it by reverse-engineering APT37's malware and then access all the files stored there, including those of the group's own sloppy coder.
"That was a very fortunate event, and a fairly rare one," Hultquist says. The discovery, along with an analysis of the compile times of the group's programs, shared infrastructure and code between different tools, and its perpetual targeting of North Korean adversaries allowed FireEye to confidently link all of APT37's activities to the North Korean government.
Cisco Talos found other careless elements in APT37's work, says Craig Williams, who leads Talos' research team. It left debug strings in some programs that helped Talos' researchers more easily reverse engineer those tools. And even when it deployed a Flash zero-day to gain a foothold earlier this month, it then reused a piece of malware rather than plant a fresh one, making it far easier for victims to detect. "They make a lot of mistakes," Williams says. "That said, they’re successful. They’re about as advanced as they need to be."
FireEye's Hultquist argues that the group's increasingly sophisticated operations and elaborate set of tools show that despite its errors, APT37 should be considered as a potential threat just as much as the higher-profile Lazarus team. "If I drew anything from this elaborate list of tools, it’s that they’re a very comprehensive operation," Hultquist says. And while the group has until now remained off the West's radar, he warns that shouldn't lull anyone into dismissing the danger it represents. "It’s just a less well-known operation because it's regionally focused. We ignore regionally focused actors at our own peril."