APT37
Contents
APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.[1][2][3]
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
|Name||Description|
|Richochet Chollima|
|InkySquid|
|ScarCruft|
|Reaper|
|Group123|
|TEMP.Reaper|
|Domain||ID||Name||Use|
|Enterprise||T1548||.002||Abuse Elevation Control Mechanism: Bypass User Account Control|
APT37 has a function in the initial dropper to bypass Windows UAC in order to execute the next payload with higher privileges.[6]
|Enterprise||T1071||.001||Application Layer Protocol: Web Protocols|
APT37 uses HTTPS to conceal C2 communications.[3]
|Enterprise||T1123||Audio Capture|
APT37 has used …
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
|Name||Description|
|Richochet Chollima|
|InkySquid|
|ScarCruft|
|Reaper|
|Group123|
|TEMP.Reaper|
|Domain||ID||Name||Use|
|Enterprise||T1548||.002||Abuse Elevation Control Mechanism: Bypass User Account Control|
APT37 has a function in the initial dropper to bypass Windows UAC in order to execute the next payload with higher privileges.[6]
|Enterprise||T1071||.001||Application Layer Protocol: Web Protocols|
APT37 uses HTTPS to conceal C2 communications.[3]
|Enterprise||T1123||Audio Capture|
APT37 has used …