APT37

Threat Actor updated a day ago (2024-11-20T18:16:28.962Z)
Download STIX
Preview STIX
APT37, also known as RedAnt, RedEyes, ScarCruft, and Group123, is a threat actor suspected to be backed by North Korea. It has been active since at least 2012, primarily targeting South Korea across various industry verticals such as chemicals, electronics, manufacturing, aerospace, automotive, and healthcare, with additional activities noted in Japan, Vietnam, and the Middle East. The group uses custom malware for espionage purposes and has access to destructive malware. Notably, APT37 has been consistently attributed to the ROKRAT malware, first reported by Talos in April 2017, which it employs in various campaigns. In recent attacks, APT37 utilized various infection chains and lures, resulting in payloads of ROKRAT and Amadey. The group has exploited vulnerabilities such as the one-click WPS Office bug, using it to deliver RokRAT without any user interaction required. This was specifically targeted at a Toast ad program typically installed alongside various free software. Additionally, the group exploited zero-day vulnerabilities in Microsoft's Internet Explorer Web browser, mounting a zero-click supply chain campaign on South Korean targets. These exploits were discovered by Google Threat Analysis Group researchers in late October 2022 and actively exploited by APT37 in December 2022. The severity of APT37's activities came to light in early February 2028 when researchers revealed that the group leveraged a zero-day vulnerability in Adobe Flash Player to deliver malware to South Korean users. The group tricked victims into downloading malware on their desktops with the Toast ad program installed. In February 2018, FireEye linked APT37 to the North Korean government based on several clues. The group's cyberattacks have mainly targeted government, defense, military, and media organizations in South Korea, posing significant threats to these sectors.
Description last updated: 2024-11-15T16:18:37.510Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
ScarCruft is a possible alias for APT37. ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean state-sponsored threat actor known for targeting high-value individuals and organizations to further North Korea's geopolitical objectives. This group has shown its agility in adopting new malware delivery me
8
Reaper is a possible alias for APT37. Reaper, also known as APT37, Inky Squid, RedEyes, or ScarCruft, is a threat actor group attributed to North Korea. It deploys ROKRAT, a malicious tool that has been used in cyber exploitation since the 1970s. This group is also tied to the NOKKI malware family, which originated from research surroun
6
Kimsuky is a possible alias for APT37. Kimsuky, also known as Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43, is a North Korea-linked Advanced Persistent Threat (APT) group that has been active since it was first spotted by Kaspersky researchers in 2013. The group is notorious for its cyber espionage activit
4
Group123 is a possible alias for APT37. Group123, also known as APT37, RedAnt, RedEyes, ScarCruft, Inky Squid, and Reaper, is a threat actor group associated with North Korea. This group has demonstrated a variety of technical capabilities in their intrusions, primarily targeting government entities. Mandiant Threat Intelligence and AhnLa
4
RedEyes is a possible alias for APT37. RedEyes, also known as APT37, TA-RedAnt, Reaper, ScarCruft, Group123, InkSquid, BadRAT, and Ricochet Chollima, is a North Korea-linked threat actor known for its malicious cyber activities. It recently exploited an Internet Explorer zero-day vulnerability (CVE-2024-38178 with a CVSS score of 7.5) in
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Exploit
Korean
Windows
Phishing
State Sponso...
Backdoor
Apt
Espionage
Vulnerability
Reconnaissance
Rat
Russia
exploited
Zero Day
Microsoft
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The ROKRAT Malware is associated with APT37. RokRAT is a form of malware that has been utilized in cyber-espionage campaigns primarily targeting South Korean entities. It is typically delivered via phishing emails containing ZIP file attachments, which contain LNK files disguised as Word documents. When the LNK file is activated, a PowerShell Unspecified
6
The KONNI Malware is associated with APT37. Konni is a malicious software (malware) linked to North Korea, specifically associated with the state-sponsored Kimsuky group. This advanced persistent threat (APT) has been active since at least 2021, focusing on high-profile targets such as the Russian Ministry of Foreign Affairs, the Russian EmbaUnspecified
4
The Amadey Malware is associated with APT37. Amadey is a malicious software (malware) that has been known since 2018 and is notorious for stealing credentials from popular browsers and various Virtual Network Computing (VNC) systems. The malware, which is often sold in underground forums, uses sophisticated techniques to infect systems, includUnspecified
3
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lazarus Group Threat Actor is associated with APT37. The Lazarus Group, a notorious North Korean state-sponsored threat actor, is among the most prolific and dangerous cyber threat actors in operation. The group has been involved in several high-profile cyber-attacks, including Operation DreamJob in Spain, with the primary objective of funding North KUnspecified
3
The Apt43 Threat Actor is associated with APT37. APT43, also known as Kimsuky, is a North Korean Advanced Persistent Threat (APT) group that has been active since at least 2013. The group is known for its intelligence collection activities and using cybercrime to fund espionage. It has been linked to several aliases including Springtail, ARCHIPELAUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The vulnerability CVE-2022-41128 is associated with APT37. Unspecified
3
Source Document References
Information about the APT37 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
a month ago
DARKReading
a month ago
Securityaffairs
a month ago
DARKReading
2 months ago
DARKReading
7 months ago
DARKReading
7 months ago
DARKReading
7 months ago
CERT-EU
9 months ago
BankInfoSecurity
9 months ago
Recorded Future
a year ago
MITRE
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
Recorded Future
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago