Group123

Threat Actor updated a day ago (2024-11-20T18:12:34.124Z)

Download STIX

Preview STIX

Group123, also known as APT37, RedAnt, RedEyes, ScarCruft, Inky Squid, and Reaper, is a threat actor group associated with North Korea. This group has demonstrated a variety of technical capabilities in their intrusions, primarily targeting government entities. Mandiant Threat Intelligence and AhnLab Security Intelligence Center (ASEC) have identified Group123's alignment with the activity publicly reported as Scarcruft. The group's modus operandi includes using malicious shellcode located in images hosted on compromised websites, leveraging open platforms as command and control servers, and exploiting vulnerabilities in popular software. Recently, Group123 exploited an Internet Explorer zero-day vulnerability, tracked as CVE-2024-38178 (CVSS score 7.5), in a supply chain attack specifically targeting a Toast ad program that is usually installed alongside various free software. This approach closely aligns with Group123's previously observed and documented techniques over the past 18 months. The malware developer within the group appears to be a different individual, but the infection framework and operating mode remain consistent with Group123's known activities. There is medium confidence in the assessment that NavRAT, a malicious campaign, is linked to Group123. Despite the lack of non-obvious false flags in NavRAT, its connection to Group123 is supported by the similarities in execution and intent. However, it's important to note that these assessments are based on current available data and may change as further information becomes available.

Description last updated: 2024-11-15T16:18:40.428Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT37 is a possible alias for Group123. APT37, also known as RedAnt, RedEyes, ScarCruft, and Group123, is a threat actor suspected to be backed by North Korea. It has been active since at least 2012, primarily targeting South Korea across various industry verticals such as chemicals, electronics, manufacturing, aerospace, automotive, and	4
ScarCruft is a possible alias for Group123. ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean state-sponsored threat actor known for targeting high-value individuals and organizations to further North Korea's geopolitical objectives. This group has shown its agility in adopting new malware delivery me	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Apt

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Group123 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	a month ago	DPRK Uses Microsoft Zero-Day in No-Click Toast Attacks
Securityaffairs	a month ago	North Korea-linked APT37 exploited IE zero-day in a recent attack
CERT-EU	a year ago	Comrades in Arms? \| North Korea Compromises Sanctioned Russian Missile Engineering Company
MITRE	2 years ago	Korea In The Crosshairs
MITRE	2 years ago	Advanced Persistent Threats (APTs) \| Threat Actors & Groups
MITRE	2 years ago	NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea
Securityaffairs	2 years ago	North Korea-linked ScarCruft APT uses large LNK files in infection chains
CERT-EU	2 years ago	North Korea-linked ScarCruft APT uses large LNK files in infection chains \| IT Security News