Threat Research

APT PROFILE – GROUP 123

Cyfirma
APT PROFILE – GROUP 123

Group123 is a North Korean state-sponsored APT active since at least 2012 that conducts espionage across East and Southeast Asia, the Middle East, and beyond using spear‑phishing, malicious documents (including HWP), drive‑by exploits, and a large toolkit of loaders and implants to gain persistent access. Recent campaigns show intensified Windows-focused intrusions, advanced defense-evasion (DLL sideloading, hollowing, sandbox checks), cloud‑based C2, and a partial shift toward revenue generation including use of Maui ransomware. #Group123 #ROKRAT

Keypoints

  • Group123 (aka APT37/Reaper/ScarCruft) is a North Korean state‑sponsored APT active since at least 2012, targeting government, defense, research, critical infrastructure, and regional organizations.
  • Primary initial access vectors include spear‑phishing with malicious attachments, drive‑by compromises, and exploitation of newly disclosed vulnerabilities in office suites, browsers, and OS components.
  • Operations rely on a mature, diverse toolkit of custom malware and loaders (e.g., ROKRAT, PoohMilk Loader, Freenki Loader, GELCAPSULE, Oceansalt) for command execution, credential theft, data exfiltration, and lateral movement.
  • The group increasingly adopts zero‑day and recently disclosed exploits (e.g., Flash CVE‑2018‑4878) and uses multi‑stage payloads and HTTPS‑based C2 to blend into normal traffic.
  • Advanced defense‑evasion techniques observed include DLL sideloading, DLL hollowing, call‑stack spoofing, payload fragmentation, sandbox/analysis checks, and heavy encryption of C2 traffic.
  • Tactical shifts include greater Windows focus, hardened infrastructure using compromised legitimate web/cloud services for resilient C2, and some monetization via ransomware (e.g., Maui) alongside espionage missions.

MITRE Techniques

  • [T1189 ] Drive-by Compromise – Used to gain initial access via compromised or malicious websites (‘Drive-by Compromise’)
  • [T1566.001 ] Phishing: Spear phishing Attachment – Delivery of malicious documents and attachments to targets (‘Phishing: Spear phishing Attachment’)
  • [T1059 ] Command and Scripting Interpreter – Execution of scripts and interactive commands for payload execution and control (‘Command and Scripting Interpreter’)
  • [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – Use of Windows shell commands during execution phases (‘Command and Scripting Interpreter: Windows Command Shell’)
  • [T1059.005 ] Command and Scripting Interpreter: Visual Basic – Use of Visual Basic scripting for execution pathways (‘Command and Scripting Interpreter: Visual Basic’)
  • [T1059.006 ] Command and Scripting Interpreter: Python – Use of Python for scripting and payload execution (‘Command and Scripting Interpreter: Python’)
  • [T1203 ] Exploitation for Client Execution – Exploiting client‑side vulnerabilities to trigger execution (‘Exploitation for Client Execution’)
  • [T1559.002 ] Inter-Process Communication: Dynamic Data Exchange – Use of DDE for inter-process execution and code delivery (‘Inter-Process Communication: Dynamic Data Exchange’)
  • [T1106 ] Native API – Leveraging native OS APIs to perform actions and blend in (‘Native API’)
  • [T1053.005 ] Scheduled Task/Job: Scheduled Task – Use of scheduled tasks for persistence and privileged operations (‘Scheduled Task/Job: Scheduled Task’)
  • [T1204.002 ] User Execution: Malicious File – Reliance on user opening malicious documents to trigger payloads (‘User Execution: Malicious File’)
  • [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Registry Run keys or startup folder entries used for persistence (‘Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder’)
  • [T1548.002 ] Abuse Elevation Control Mechanism: Bypass User Account Control – Techniques to bypass UAC for privilege escalation or execution (‘Abuse Elevation Control Mechanism: Bypass User Account Control’)
  • [T1055 ] Process Injection – Injecting code into other processes to evade detection and escalate privileges (‘Process Injection’)
  • [T1036.001 ] Masquerading: Invalid Code Signature – Use of invalid or forged signatures to masquerade binaries (‘Masquerading: Invalid Code Signature’)
  • [T1027 ] Obfuscated Files or Information – Use of obfuscation to hide code and payloads (‘Obfuscated Files or Information’)
  • [T1027.003 ] Obfuscated Files or Information: Steganography – Use of steganography as an obfuscation method (‘Obfuscated Files or Information: Steganography’)
  • [T1555.003 ] Credentials from Password Stores: Credentials from Web Browsers – Theft of stored browser credentials for lateral movement and access (‘Credentials from Password Stores: Credentials from Web Browsers’)
  • [T1120 ] Peripheral Device Discovery – Discovery of connected peripherals as part of reconnaissance (‘Peripheral Device Discovery’)
  • [T1057 ] Process Discovery – Enumerating running processes to identify targets and hide activity (‘Process Discovery’)
  • [T1082 ] System Information Discovery – Collection of system information to support targeting and C2 decisions (‘System Information Discovery’)
  • [T1033 ] System Owner/User Discovery – Identifying system owners and users for credential misuse and targeting (‘System Owner/User Discovery’)
  • [T1123 ] Audio Capture – Use of audio capture capabilities for collection (‘Audio Capture’)
  • [T1005 ] Data from Local System – Collection of local files and data for exfiltration (‘Data from Local System’)
  • [T1105 ] Ingress Tool Transfer – Downloading additional tools and payloads into victim environments (‘Ingress Tool Transfer’)
  • [T1071.001 ] Application Layer Protocol: Web Protocols – Use of web protocols (HTTPS) for C2 communications (‘Application Layer Protocol: Web Protocols’)
  • [T1102.002 ] Web Service: Bidirectional Communication – Use of web services for resilient, bidirectional C2 channels (‘Web Service: Bidirectional Communication’)
  • [T1561.002 ] Disk Wipe: Disk Structure Wipe – Use of disk wiping or destructive routines as an impact technique (‘Disk Wipe: Disk Structure Wipe’)
  • [T1529 ] System Shutdown/Reboot – Forcing system shutdowns or reboots as part of impact operations (‘System Shutdown/Reboot’)

Indicators of Compromise

  • [Malware ] Campaign tooling and payloads observed – ROKRAT, PoohMilk Loader, and 30+ other families (e.g., Freenki Loader, GELCAPSULE) and many additional implants.
  • [CVE ] Exploited vulnerabilities used in campaigns – CVE-2018-4878, CVE-2024-38178, and 3 more CVE entries listed (CVE-2022-41128, CVE-2020-1380, CVE-2017-8291).
  • [Malicious document types ] Initial lure artifacts – Hangul/HWP files and other malicious office documents used as spear‑phishing attachments.

Read more: https://www.cyfirma.com/research/apt-profile-group-123/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint