APT37 and APT37Malware

Industry: Media & Nonprofit | Level: Tactical | Source: SecureList

North Korean nation-state sponsored group APT37/ScarCruft/Temp.Reaper has been identified by Kaspersky for targeting South Korean journalists defectors, and human rights activists. The group utilized malware, Chinott, distributing through watering holes, spear-phishing emails, and smishing attacks. A news organization had data stolen and evidence found the attackers had access to their environment for several months. The malware versions were observed in PowerShell, Windows, and Android with similar command and control schemes based in HTTP. Additional malware capabilities observed the ability to modify registry keys (specifically enabling trust access for VBA), register a PowerShell command in the Run registry for persistence to execute an HTA file with mshta, and collect files staged a bat folder.

• Anvilogic Scenario: APT37 & "Chinotto" Malware
• Anvilogic Use Cases:
• Query Registry
• New AutoRun Registry Key
• MSHTA.exe execution
• Data Staged to File