WIRED has an in-depth article on the recently revealed North Korean hacker group known as APT37 aka ScarCruft aka Group123:
In its analysis of APT37, FireEye provides a rare breakdown of the hacker group’s entire known toolset, from initial infection to final payload. Earlier this month, security firms tracked the group using a zero-day vulnerability in Adobe Flash to spread malware via websites, an unusual use of a still-secret and unpatched software flaw. But in the past, the group has also exploited non-zero-day Flash vulnerabilities that victims have been slow to patch, lingering flaws in the popular Korean Hangul word processor to infect computers via malicious attachments, and even BitTorrent, indiscriminately uploading malware-infected software to piracy sites to trick unwitting users into downloading and installing it.
Once it finds an initial foothold on a victim’s machine, APT37 has a diverse grab bag of spy tools at its disposal. It has installed malware that FireEye calls DogCall, ShutterSpeed, and PoorAim, all of which have the capability of stealing screenshots of a victim’s computer, logging keystrokes, or digging through their files. Another malware sample, ZumKong, is designed to steal credentials out of browser memory. A tool called CoralDeck compresses files and extracts them to the attacker’s remote server. And a piece of spyware FireEye calls SoundWave takes over a victim’s PC microphone to silently record and store eavesdropped audio logs.
Perhaps most disturbing, Hultquist notes, is that APT37 has in some cases also dropped a tool that FireEye calls RUHappy, which has the potential to destroy systems. That wiper malware deletes a portion of the computer’s master boot record and restarts the computer so that it’s left fully paralyzed, displaying only the words “Are You Happy?” on the screen. FireEye notes that it’s never actually seen that malware triggered on a victim’s network—only installed and left as a threat. But Cisco’s Talos researchers noted in their own detailed report on APT37 last month that a 2014 attack on a Korean power plant had indeed left that three-word message on wiped machines, though they weren’t able to otherwise tie that attack to APT37.
It is fascinating how the different groups of hackers within nation state backed organizations use different tactics, techniques, and procedures, thus making it relatively easy for foreign intelligence agencies to track their operations so well. While there is no definitive proof APT37 is who FireEye says they are, there is a good chance this is the real deal. Attribution used to be difficult, but has come a long way in the recent years.
This is one group to watch, especially since they have already targeted Japan. This means there is a possibility they may leverage Tokyo 2020 as a jumping point into Japanese networks.