Suspected APT37 New Attack Weapon Fakecheck Analysis Report
Contents
Author: K&XWS@Knownsec 404 Advanced Threat Intelligence team
Chinese version: https://paper.seebug.org/3011/
1. Summarize
APT37 is suspected to be a state-sponsored attack organization in the peninsula region, also known as ScarCruft, Reaper, RedEye, and Ricochet Chollima. The group has been active since 2012,the primarily targets public organizations and private enterprises in South Korea. In 2017, APT37 expanded its target scope to include industries such as chemicals, electronics, manufacturing, aerospace, automotive, and healthcare in Japan, Vietnam, the Middle East, and other regions.
Recently, the Knownsec 404 Advanced Threat Intelligence team discovered multiple CHM samples carrying malicious scripts during routine analysis activities. Through analysis and tracing the entire attack chain, we named the newly discovered Trojan as Fakecheck. During the analysis process, we found that some security researchers attribute it to APT37. However, based on our team's tracking of APT37's attack activities, the captured sample and TTPs (Tactics, Techniques, and Procedures) are unrelated to the known intelligence on …
Chinese version: https://paper.seebug.org/3011/
1. Summarize
APT37 is suspected to be a state-sponsored attack organization in the peninsula region, also known as ScarCruft, Reaper, RedEye, and Ricochet Chollima. The group has been active since 2012,the primarily targets public organizations and private enterprises in South Korea. In 2017, APT37 expanded its target scope to include industries such as chemicals, electronics, manufacturing, aerospace, automotive, and healthcare in Japan, Vietnam, the Middle East, and other regions.
Recently, the Knownsec 404 Advanced Threat Intelligence team discovered multiple CHM samples carrying malicious scripts during routine analysis activities. Through analysis and tracing the entire attack chain, we named the newly discovered Trojan as Fakecheck. During the analysis process, we found that some security researchers attribute it to APT37. However, based on our team's tracking of APT37's attack activities, the captured sample and TTPs (Tactics, Techniques, and Procedures) are unrelated to the known intelligence on …
IoC
012063e0b7b4f7f3ce50574797112f95492772a9b75fc3d0934a91cc60faa240
01e7405ddd5545ffb4a57040acc4b6f8b8a5cc328fa8172e1800a1cb49bdf15c
2b2583019d83e657c219dd6510060f98ead8679e913d63c7f2ed5c52c0c2bb35
37feb1d71c6458f71b27dc1ba7cb4366ee30f9ae75b0322775fa70b8753eac27
578689cb4b06c4d3f1850e4379c4b31f49170749c66b9576e1088f59fc891da2
a1f6ae788bf3f9ae17893f3b12d557f69b17fdb4f030ed5e5f66dbb6d2cc9d78
f5e46e18facc6f8fde6658b96dcd379b82cc6ae2e676fb47f08cbeccd307b1b4
https://bajut.pro/jdkvr
https://crilts.cfd/cdeeb
https://giath.xyz/maiqt
https://oebil.lat/zyofl
https://tosals.ink/uEH5J.html
01e7405ddd5545ffb4a57040acc4b6f8b8a5cc328fa8172e1800a1cb49bdf15c
2b2583019d83e657c219dd6510060f98ead8679e913d63c7f2ed5c52c0c2bb35
37feb1d71c6458f71b27dc1ba7cb4366ee30f9ae75b0322775fa70b8753eac27
578689cb4b06c4d3f1850e4379c4b31f49170749c66b9576e1088f59fc891da2
a1f6ae788bf3f9ae17893f3b12d557f69b17fdb4f030ed5e5f66dbb6d2cc9d78
f5e46e18facc6f8fde6658b96dcd379b82cc6ae2e676fb47f08cbeccd307b1b4
https://bajut.pro/jdkvr
https://crilts.cfd/cdeeb
https://giath.xyz/maiqt
https://oebil.lat/zyofl
https://tosals.ink/uEH5J.html