Threat Research

APT GROUP123

Cyfirma
APT GROUP123

Group123 is a North Korean APT group engaged in cyber espionage and ransomware operations targeting multiple countries and industries globally. Their campaigns utilize sophisticated malware, exploit recent vulnerabilities, and employ diverse TTPs to maintain persistent access and evade detection. #Group123 #APT37 #CyberEspionage

Keypoints

  • Group123 has been active since at least 2012 and targets primarily East Asia, Southeast Asia, and the Middle East, including countries like South Korea, Japan, Vietnam, and the United States.
  • The group uses a broad arsenal of custom and commodity malware including KARAE, PoohMilk Loader, ROKRAT, and Maui ransomware to conduct espionage and financial gain operations.
  • Initial access is commonly achieved through spear phishing with malicious Office documents and exploitation of public-facing web application vulnerabilities like CVE-2018-4878 and CVE-2022-41128.
  • The group employs advanced persistence and defense evasion tactics such as DLL sideloading, encrypted communications, multi-stage payloads, and using legitimate web and cloud services for C2.
  • Group123 conducts credential harvesting, internal network reconnaissance, lateral movement using remote access tools, and data exfiltration to fulfill their espionage objectives.
  • A notable trend includes deploying ransomware attacks alongside espionage campaigns to generate illicit revenue supporting strategic state-sponsored goals.
  • The group shows rapid adaptation to emerging vulnerabilities and changes in technology to maintain operational effectiveness and stealth.

MITRE Techniques

  • [T1189] Drive-by Compromise – Gaining initial access by exploiting vulnerabilities in web browsers or plugins (“Drive-by Compromises: Exploiting vulnerabilities in web browsers or plugins when users visit malicious or compromised websites”).
  • [T1548.002] Abuse Elevation Control Mechanism: Bypass User Access Control – Used for privilege escalation to gain higher-level access (“Attempting to bypass User Account Control (UAC)”).
  • [T1057] Process Discovery – Gathering information about running processes on compromised systems (“Gathering information about the compromised system…”).
  • [T1566.001] Spear Phishing Attachment – Delivery of malicious Office documents to gain initial access (“Highly targeted spear phishing emails, often containing malicious attachments”).
  • [T1055] Process Injection – Executing malicious code by injecting into other processes (“Employing scripting and leveraging Windows API calls for executing malicious code”).
  • [T1033] System Owner/User Discovery – Information gathering on user and system accounts (“Gathering information about the compromised system, including computer name, username, execution path”).
  • [T1053.005] Scheduled Task/Job: Scheduled Task – Used for persistence and impact (“Establishing backdoors for continued access” and “Persistence”).
  • [T1120] Peripheral Device Discovery – Reconnaissance to identify hardware (“Gathering information about BIOS model”).
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persistence method to maintain access (“Modifying system configurations, such as adding entries to Registry Run Keys/Startup Folders”).
  • [T1082] System Information Discovery – For internal reconnaissance (“Gathering system information to discover network”).
  • [T1059] Command and Scripting Interpreter – Using scripting for execution (“Employing scripting and leveraging Windows API calls for executing malicious code”).
  • [T1203] Exploitation for Client Execution – Using Microsoft Office exploits and Flash Exploits for execution (“Commonly exploit vulnerabilities in word processors… and Flash Exploits”).
  • [T1005] Data from Local System – Collecting sensitive data locally (“Collecting sensitive data from local systems”).
  • [T1059.003] Windows Command Shell – Executing commands on Windows systems (“Using command shells to execute malicious commands”).
  • [T1027] Obfuscated Files or Information – Defense evasion through encryption and layered payloads (“Using encryption…Splitting payloads into multiple stages to complicate analysis”).
  • [T1123] Audio Capture – Use of audio recording tools (“Employing tools for specific data collection, such as audio capturing utilities”).
  • [T1059.006] Python – Use of Python scripts for execution or post-exploitation (“Employing scripting…”).
  • [T1204.002] User Execution: Malicious File – Executing malicious files delivered in phishing emails (“Spear phishing with malicious attachments”).
  • [T1027.003] Software Packing – Using packers to evade detection (“Employing techniques like splitting payloads…”).
  • [T1559.002] Inter-Process Communication – Used in C2 communications (“Leveraging legitimate services for command and control (C2)”).
  • [T1036.001] Masquerading: Rename System Utilities – Techniques to evade detection (“Employing DLL sideloading, DLL hollowing, and call stack spoofing”).
  • [T1071.001] Application Layer Protocol: Web Protocols – Using HTTPS for C2 communication (“Using encryption, particularly HTTPS, for C2 communications”).
  • [T1059.005] Command and Scripting Interpreter: Visual Basic – Use of Visual Basic scripts (“Employing scripting”).
  • [T1102.002] Web Service – Use of compromised legitimate web servers and cloud services for command and control (“Utilizing compromised legitimate web servers or cloud-based platforms for C2 infrastructure”).
  • [T1106] Execution through API – Using Windows APIs to execute payloads (“Employing Windows API calls for executing malicious code”).
  • [T1094] Proxy Execution – Using proxy techniques for C2 communication (“Leveraging legitimate services for command and control”).
  • [T1555.003] Credentials from Web Browsers – Harvesting credentials stored in browsers (“Harvesting credentials from web browsers”).
  • [T1105] Ingress Tool Transfer – Downloading additional tools after initial compromise (“Employing custom malware and additional payloads”).
  • [T1547.001] Boot or Logon Autostart Execution – Persistence via startup execution (“Modifying system configurations for persistence”).
  • [T1561.002] Disk Wipe – Deployment of destructive malware (“Deploying destructive malware, such as disk wipers”).
  • [T1529] System Shutdown/Reboot – Impact technique used in disruptive attacks (“Conducting ransomware and destructive attacks”).

Indicators of Compromise

  • [Malware Names] Used malware in campaigns – KARAE, PoohMilk Loader, ROKRAT, HAPPYWORK, Maui ransomware.
  • [CVE Identifiers] Exploited vulnerabilities – CVE-2018-4878, CVE-2022-41128.
  • [File Hashes] Various malicious payload hashes related to malware families like Final1stSpy, GELCAPSULE, and RUHAPPY (“and 2 more hashes”).
  • [Domains / C2 Servers] Compromised legitimate web servers and cloud services for C2 communications (e.g., Google Drive, Yandex, Mediafire).
  • [File Names] Malicious document attachments used in spear phishing campaigns exploiting Office Suite vulnerabilities (e.g., crafted HWP and Microsoft Office files).

Read more: https://www.cyfirma.com/research/apt-group123/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint