ETDA ThaiCERT
Report
Search
Home > List all groups > Reaper, APT 37, Ricochet Chollima, ScarCruft

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Reaper, APT 37, Ricochet Chollima, ScarCruft

NamesReaper (FireEye)
TEMP.Reaper (FireEye)
APT 37 (Mandiant)
Ricochet Chollima (CrowdStrike)
ScarCruft (Kaspersky)
Thallium (Microsoft)
Group 123 (Talos)
Red Eyes (AhnLab)
Geumseong121 (ESRC)
Venus 121 (ESRC)
Hermit (Tencent)
ATK 4 (Thales)
ITG10 (IBM)
CountryNorth Korea North Korea
SponsorState-sponsored
MotivationInformation theft and espionage
First seen2012
DescriptionSome research organizations link this group to Lazarus Group, Hidden Cobra, Labyrinth Chollima.

(FireEye) Read our report, APT37 (Reaper): The Overlooked North Korean Actor, to learn more about our assessment that this threat actor is working on behalf of the North Korean government, as well as various other details about their operations:
• Targeting: Primarily South Korea – though also Japan, Vietnam and the Middle East – in various industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive, and healthcare.
• Initial Infection Tactics: Social engineering tactics tailored specifically to desired targets, strategic web compromises typical of targeted cyberespionage operations, and the use of torrent file-sharing sites to distribute malware more indiscriminately.
• Exploited Vulnerabilities: Frequent exploitation of vulnerabilities in Hangul Word Processor (HWP), as well as Adobe Flash. The group has demonstrated access to zero-day vulnerabilities (CVE-2018-0802), and the ability to incorporate them into operations.
• Command and Control Infrastructure: Compromised servers, messaging platforms, and cloud service providers to avoid detection. The group has shown increasing sophistication by improving their operational security over time.
• Malware: A diverse suite of malware for initial intrusion and exfiltration. Along with custom malware used for espionage purposes, APT37 also has access to destructive malware.
ObservedSectors: Aerospace, Automotive, Chemical, Financial, Government, Healthcare, High-Tech, Manufacturing, Technology, Transportation.
Countries: China, Hong Kong, India, Japan, Kuwait, Nepal, Romania, Russia, South Korea, UK, USA, Vietnam.
Tools usedCARROTBALL, CARROTBAT, CORALDECK, DOGCALL, Erebus, Final1stSpy, Freenki Loader, GELCAPSULE, GreezeBackdoor, HAPPYWORK, KARAE, KevDroid, Konni, MILKDROP, N1stAgent, NavRAT, Nokki, Oceansalt, PoohMilk Loader, POORAIM, RokRAT, RICECURRY, RUHAPPY, ScarCruft, SHUTTERSPEED, SLOWDRIFT, SOUNDWAVE, Syscon, WINERACK, ZUMKONG and several 0-day Flash and MS Office exploits.
Operations performed2012Spying on South Korean users.
2016Operation “Erebus”
<https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/erebus-linux-ransomware-impact-to-servers-and-countermeasures>
Mar 2016Operation “Daybreak”
Target: High profile victims.
Method: Previously unknown (0-day) Adobe Flash Player exploit. It is also possible that the group deployed another zero day exploit, CVE-2016-0147, which was patched in April.
<https://securelist.com/operation-daybreak/75100/>
Note: not the same operation as DarkHotel’s Operation “Daybreak”.
Aug 2016Operation “Golden Time”
Target: South Korean users.
Method: spear-phishing emails combined with malicious HWP documents created using Hancom Hangul Office Suite
Nov 2016Operation “Evil New Year”
Target: South Korean users.
Method: spear-phishing emails combined with malicious HWP documents created using Hancom Hangul Office Suite.
Mar 2017Operation “Are You Happy?”
Target: South Korean users.
Method: Not only to gain access to the remote infected systems but to also wipe the first sectors of the device.
May 2017Operation “FreeMilk”
Target: Several non-Korean financial institutions.
Method: A malicious Microsoft Office document, a deviation from their normal use of Hancom documents.
<https://unit42.paloaltonetworks.com/unit42-freemilk-highly-targeted-spear-phishing-campaign/>
Nov 2017Operation “North Korean Human Right”
Target: South Korean users.
Method: Spear-phishing emails combined with malicious HWP documents created using Hancom Hangul Office Suite.
Dec 2017Operation “Fractured Block”
<https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/>
Jan 2018Operation “Evil New Year 2018”
Target: South Korean users.
Method: Spear-phishing emails combined with malicious HWP documents created using Hancom Hangul Office Suite.
Mar 2018Operation “Battle Cruiser”
<https://blog.alyac.co.kr/1625>
Apr 2018Operation “Star Cruiser”
<http://blog.alyac.co.kr/1653>
May 2018Operation “Onezero”
<https://brica.de/alerts/alert/public/1215993/analysis-of-apt-attack-on-operation-onezero-conducted-as-a-document-on-panmunjom-declaration/>
Aug 2018Operation “Rocket Man”
<https://brica.de/alerts/alert/public/1226363/the-latest-apt-campaign-of-venus-121-group-operation-rocket-man/>
Nov 2018Operation “Korean Sword”
<https://brica.de/alerts/alert/public/1252896/venus-121-apt-organization-operation-high-expert/>
Jan 2019Operation “Holiday Wiper”
<https://brica.de/alerts/alert/public/1252896/venus-121-apt-organization-operation-high-expert/>
Mar 2019Operation “Golden Bird”
<https://brica.de/alerts/alert/public/1252896/venus-121-apt-organization-operation-high-expert/>
Mar 2019Operation “High Expert”
<https://brica.de/alerts/alert/public/1252896/venus-121-apt-organization-operation-high-expert/>
Apr 2019Operation “Black Banner”
<https://brica.de/alerts/alert/public/1257351/venus-121-rocketman-campaign-operation-black-banner-apt-attack/>
May 2019We recently discovered some interesting telemetry on this actor, and decided to dig deeper into ScarCruft’s recent activity. This shows that the actor is still very active and constantly trying to elaborate its attack tools. Based on our telemetry, we can reassemble ScarCruft’s binary infection procedure. It used a multi-stage binary infection to update each module effectively and evade detection.
<https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/>
Jul 2019Operation “Fractured Statue”
<https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/>
Sep 2019Operation “Dragon messenger”
<https://blog.alyac.co.kr/attachment/cfile1.uf@99A46A405DC8E3031C9E2A.pdf>
Mar 2020Operation “Spy Cloud”
<https://blog.alyac.co.kr/attachment/cfile8.uf@9977CF405E81A09B1C4CE2.pdf>
Counter operationsDec 2019On December 27, a U.S. district court unsealed documents detailing work Microsoft has performed to disrupt cyberattacks from a threat group we call Thallium, which is believed to operate from North Korea. Our court case against Thallium, filed in the U.S. District Court for the Eastern District of Virginia, resulted in a court order enabling Microsoft to take control of 50 domains that the group uses to conduct its operations.
<https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/>
Information<https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf>
<https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html>
<https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/>
<https://global.ahnlab.com/global/upload/download/techreport/%5BAhnLab%5D%20Red_Eyes_Hacking_Group_Report%20(1).pdf>
<https://exchange.xforce.ibmcloud.com/threat-group/guid:ebf490b366269368dda52acaf34e7d38>
MITRE ATT&CK<https://attack.mitre.org/groups/G0067/>
Playbook<https://pan-unit42.github.io/playbook_viewer/?pb=reaper>

Last change to this card: 18 July 2020

Download this actor card in PDF or JSON format

Previous: RATicate
Next: RedAlpha

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key