APT37 conducts cyberespionage against South Korean targets.

North Korea’s APT37 threat group (known also by the monikers Reaper, ScarCruft, and RedEye) has been observed in activity against South Korean targets.

Cyberespionage against South Korean organizations.

The AhnLab Security Emergency Response Center analysis team has observed activity from the APT37 threat group, conducting cyberespionage against individuals within South Korean organizations in February and March of this year. Researchers from Sekoia report that the group distributes the Chinotto PowerShell-based backdoor, which gives the actors “fully fledged capabilities to control and exfiltrate sensitive information from the victims.”

A GitHub repository as a tell-all.

Zscaler ThreatLabz researchers revealed their discovery of a GitHub repository owned by a member of the group. The repository has activity dating back to October of 2020 and revealed previously undisclosed attack vectors and activities of the hackers. Researchers say that files abused by APT37 include “Windows help file (CHM), HTA, HWP (Hancom office), XLL (MS Excel Add-in) and macro-based MS Office files.” The group’s activity was said to pick back up in January of this year, with credential phishing attacks observed in distribution from the group as an attack vector.

A history on APT37.

APT37 has been active since at least 2012, Sekoia researchers say. The group is known to act in the interest of the DPRK through surveillance and counterintelligence. Previously observed targets have included NGOs and “dissidents, journalists, [and] DPRK defectors.” Past attack vectors include phishing emails containing malicious attachments, as well as exploitations of zero-day vulnerabilities.