-----

**2** SPECIAL REPORT
## CONTENTS

Introduction **3**

Targeting and Mission **4**

Initial Infection Vectors **7**

Exploited Vulnerabilities **8**

Command and Control Infrastructure **9**

Malware **10**

Attribution **12**

Outlook and Implications **13**

Appendix: Malware Used by APT37 **14**


-----

INTRODUCTION
###### On Feb. 2, 2018, we published a blog detailing the use of an Adobe Flash zero-day vulnerability (CVE-2018-4878) by a suspected North Korean cyber espionage group that we now track as APT37 (Reaper). Recent examination of this group’s activities by FireEye iSIGHT Intelligence reveals APT37 has expanded its operations in both scope and sophistication. APT37’s toolset, which includes access to zero-day vulnerabilities and wiper malware, combined with heightened tensions in Northeast Asia and North Korea’s penchant for norm breaking, means this group should be taken seriously. We assess with high confidence that this activity is carried out on behalf of the North Korean government given malware development artifacts and targeting that aligns with North Korean state interests. FireEye iSIGHT Intelligence believes that APT37 is aligned with the activity publicly reported as Scarcruft and Group123.


-----

**4** SPECIAL REPORT




-----

APT37 (REAPER): THE OVERLOOKED NORTH KOREAN ACTOR **5**

We judge that APT37’s primary mission is

covert intelligence gathering in support of North

Korea’s strategic military, political and economic

interests. This is based on consistent targeting

of South Korean public and private entities and

social engineering. APT37’s recently expanded








-----

**6** SPECIAL REPORT

In 2017, APT37 targeted a Middle Eastern

company that entered into a joint venture

with the North Korean government to provide

telecommunications service to the country (read

on for a case study). At that time, other targets

included individuals involved in international

affairs and trade issues, the general director of a

Vietnamese international trading and transport

company, and possibly individuals working with

Olympics organizations assisting in securing

resources for athletes.

North Korean defector and human rights-related

targeting provides further evidence that APT37

conducts operations aligned with the interests of

North Korea.


APT37 targeted a research fellow, advisory

member, and journalist associated with different

North Korean human rights issues and strategic

organizations. It also targeted an entity in Japan

associated with the United Nations missions on

sanctions and human rights. APT37 distributed

SLOWDRIFT malware using a lure referencing

the Korea Global Forum against academic and

strategic institutions located in South Korea.

Notably, the email was sent from a compromised

South Korean institute that conducts studies on

North Korea. The string “durihana,” which is also

the name of a Christian missionary organization

that works with North Korean defectors, was

included in an APT37 weaponized document

sent to an individual who works with a North

Korean human rights organization.





-----

-----

**8** SPECIAL REPORT



|Col1|Col2|Col3|Col4|Col5|CV|E-20|18-48|78 (Ze|ro-da|y vuln|erabil|ity)|Col14|Col15|Col16|Col17|Col18|Col19|Col20|Col21|Col22|Col23|Col24|Col25|Col26|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|||||||||||||CV|E-201|7-019|9|||||||||||
|||||||||||||||||||||||||||
|||||||||||||||||||||||||||
|||||||||||||||||||||||CVE-|2015-|2387||
|||||||||||||||||||||||CVE-|2015-|2545||
|||||||||||||||||||||||CVE-|2015-7|645||
|||||||||||||||||||||||||||
||||||||||||||||||||||||CVE|-2016|-4117|
|||CVE Release Date Exploit||||||||||||||||||||||||
|||||||||||||||||||||||||||
|||||||||||||||||||||||||||
|||||||||||||||||||||||||||
|||||||||||||||||||||||||||
||FEB|JAN|DEC|NOV|OCT|SEP|AUG|JUL|JUN|MAY|APR|MAR|FEB|JAN|DEC|NOV|OCT|SEP|AUG|JUL|JUN|MAY|APR|MAR|FEB|
||2018||2017|||||||||||||||||||||||


**Figure 3.** Timeline of CVE Release Dates vs. Dates of APT37 CVE Exploitation.
### Exploited Vulnerabilities


APT37 frequently exploits vulnerabilities in Hangul

Word Processor (HWP) due to the software’s

prevalence in South Korea. Further, the group

recently demonstrated access to zero-day

vulnerabilities (CVE-2018-0802) and has the

flexibility to quickly incorporate recently publicized

vulnerabilities into spear phishing and strategic web

compromise operations. These capabilities suggest

a high operational tempo and specialized expertise.

APT37 has repeatedly deployed exploits, especially

in Flash, quickly after vulnerabilities are initially

publicized (see Table 1). CVE-2016-4117, CVE
2016-1019 and CVE-2015-3043 were all exploited

by APT37 in this way. FireEye iSIGHT Intelligence

confirmed that since at least November 2017, APT37


exploited a zero-day Adobe Flash vulnerability,

CVE-2018-4878, to distribute DOGCALL malware to

South Korean victims.

While use and discovery of zero-day exploits over

the past several years has expanded beyond a

nation-state dominated environment to include

commercial vendors of cyber espionage capabilities

and sophisticated financially motivated actors, access

to zero-day exploits remains a factor in distinguishing

sophisticated or well-resourced actors.

Figure 3 details the vulnerabilities exploited by

APT37, comparing the time of exploitation to the

time the CVE was released.


-----

APT37 (REAPER): THE OVERLOOKED NORTH KOREAN ACTOR **9**

|Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18|Col19|Col20|Col21|Col22|Col23|Col24|Col25|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
||||||||||||||||||||||||||
||CV|E-2013|-4979||||||||||||||||||||||
||CV|E-2013|-4979||||||||||||||||||||||
||||||||||||||||||||||||||
||||||||||||||||||||||||||
||||||||||||||||||||||||||
|CVE-2|015-5|122|||||||||||||||||||||||
||||||||||||||||||||||||||
||||CVE-|2014-|8439||||||||||||||||||||
||CVE-|2016-1|019||||||||||||||||||||||
|CVE-2|015-5|119|||||||||||||||||||||||
|CVE-2|015-2|419|||||||||||||||||||||||
||||||||CV|E-2015|-3105||||||||||||||||
|DEC|NOV|OCT|SEP|AUG|JUL|JUN|MAY|APR|MAR|FEB|JAN|DEC|NOV|OCT|SEP|AUG|JUL|JUN|MAY|APR|MAR|FEB|JAN||
|2015||||||||||||2014|||||||||||||

### Command and Control Infrastructure


APT37 uses a variety of techniques for command

and control. They leverage compromised servers,

messaging platforms and cloud service providers

to avoid detection. The group often relies on

compromised sites to host second stage malware

payloads. Over time, APT37 has changed the email

providers to set up command and control accounts

in a possible attempt to cover their tracks and cause

misdirection. These tactics have been refined over the

years as APT37 evolves to evade network defenders.

APT37 has used various legitimate platforms as

command and control for its malware tools. While

some early campaigns leveraged POORAIM, which

abused AOL Instant Messenger, newer activity

deploys DOGCALL, which uses cloud storage APIs

such as pCloud and Dropbox.


APT37 relies on compromised websites to host

second stage malware. Small websites focused

on subjects such as aromatherapy and scuba

diving have been leveraged, and were most likely

compromised opportunistically and made to host

malicious payloads.

APT37 has improved its operational security over

time. For example, early 2015 use of SLOWDRIFT

involved credentials associated with Korea related

mail servers such as “Daum.net”. Later, in 2015

and early 2016, APT37 pivoted to different email

providers such as Gmail and “hmamail.com” in an

attempt to anonymize activity. Then from mid-2016

onward, APT37 began using @yandex.com and @

india.com email accounts -- possibly an attempt to

cause misattribution.


-----

**10** SPECIAL REPORT
### Malware

APT37 employs a diverse suite of malware for initial intrusion

and exfiltration. Their malware is characterized by a focus

on stealing information from victims, with many set up to

automatically exfiltrate data of interest. Figure 4 shows APT37’s

malware usage over time. A full breakdown of the malware we

associate with APT37, along with how it is detected by FireEye

devices, is available in the Appendix.


Along with custom malware used for espionage purposes,

APT37 also has access to destructive malware. In April 2017,

APT37 targeted South Korean military and government

organizations with the DOGCALL backdoor and RUHAPPY

wiper malware. Although the wiper capability was not

used in the identified instance, RUHAPPY can overwrite a

machine's Master Boot Record (MBR), causing the system to

fail to boot into preconfigured partitions.


|2015|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18|Col19|Col20|Col21|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC|JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|
||||||||||||||||||||||
||||||||||||||||||||||

|Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|
|---|---|---|---|---|---|---|---|---|
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||


-----

APT37 (REAPER): THE OVERLOOKED NORTH KOREAN ACTOR **11**

It is possible that APT37’s distribution of KARAE malware

via torrent websites could assist in creating and maintaining

botnets for future distributed denial-of-service (DDoS)

attacks, or for other activity such as financially motivated

campaigns or disruptive operations. Disruptive and

destructive cyber threat activity, including the use of wiper

malware, public leaks of proprietary materials by false

hacktivist personas, DDoS attacks and electronic warfare

tactics such as GPS signal jamming is consistent with past

behavior by other North Korean actors.


RK


**Figure 4.**
Timeline of APT37 Malware Use
By First and Last Observed
Compile Times.

|Col1|Col2|2017|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|2018|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|NOV|DEC|JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC|JAN|

|Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
||||||||||||||||
||||||||||||||||
||||||||||||||||
||||||||||||||||
||||||||||||||||
||||||||||||||||
||||||||||||||||
||||||||||||||||


-----

**12** SPECIAL REPORT
### Attribution

We assess with high confidence that

APT37 acts in support of the North

Korean government and is primarily

based in North Korea. This assessment

is based on multiple factors, including

APT37’s targeting profile, insight into

the group’s malware development

and probable links to a North Korean

individual believed to be the developer

of several of APT37’s proprietary

malware families:

**12** **a.m.**

**1** **a.m.**

**2** **a.m**

**3** **a.m**

**4** **a.m**

**5** **a.m**

**6** **a.m**

**7** **a.m**

**8** **a.m**

**9** **a.m.**

**10** **a.m**

**11** **a.m.**

**12** **p.m.**

**1** **p.m.**

**2** **p.m.**

**3** **p.m.**

**4** **p.m.**

**5** **p.m.**

**6** **p.m.**

**7** **p.m.**

**8** **p.m.**

**9** **p.m.**

**10** **p.m.**

**11** **p.m.**


|Col1|Col2|Col3|Col4|Col5|
|---|---|---|---|---|
|||Figure 5. APT37 Compile Times Against Local Time in North Korea.|||
||||||
||||||
||||||
||||||
||||||
||||||
||||||
||||||
||||||
||||||
||||||
||||||
||||||
||||||
||||||
||||||
||||||
||||||
||||||
||||||
||||||


**Frequency**



- An individual we believe to be the

developer behind several APT37

malware payloads inadvertently

disclosed personal data showing that

the actor was operating from an IP

address and access point associated

with North Korea.

- The compilation times of APT37

malware is consistent with a developer

operating in the North Korea time

zone (UTC +8:30) and follows what is

believed to be a typical North Korean

workday (Fig. 5). The majority of

malware compilation times occurred

between 10:00 a.m. and 7:00 p.m., with


a dip around noon. Additional activity

occurred late into the evening. This

is consistent with media reporting of

extremely long hours for North Korean

workers.

- The majority of APT37 activity

continues to target South Korea, North

Korean defectors, and organizations

and individuals involved in Korean

Peninsula reunification efforts. Similarly,

APT37 targeting of a Middle Eastern

company in 2017 is also consistent

with North Korean objectives given the

entity’s extensive relationships inside

North Korea.


-----

-----

**14** SPECIAL REPORT
### Appendix: Malware Used by APT37








-----

APT37 (REAPER): THE OVERLOOKED NORTH KOREAN ACTOR **15**








-----

FireEye, Inc
© 2018 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc.
All other brands, products, or service names are or may be trademarks
or service marks of their respective owners. SP.APT37.2018.US-EN-000271-03


**FireEye, Inc.**
601 McCarthy Blvd. Milpitas, CA 95035
408.321.6300
877 FIREEYE (347.3393)
info@FireEye.com

**www.FireEye.com**


-----