Members of the APT37 group have only rudimentarily deleted their collected attack data. Experts restored the data and analyzed it in detail. They found activity timelines, malicious code, and plenty of useful clues to internal workings.
Even cybercriminals store data on GitHub and forget to completely delete their data. The Zscaler ThreatLabz team got a closer look at the tools, techniques, and processes (TTPs) of APT37 (aka ScarCruft or Temp.Reaper), a North Korean-based Advanced Persistent Threats threat actor.
Data from APT37 shows the procedure
During their research, the security researchers came across a GitHub repository that they assigned to a member of the group. Although the threat actor routinely deletes the files from the repository, the threat analysts were able to retrieve and examine all deleted files. Due to an information leak, they were able to access a wealth of information about the malicious files used by this APT group as well as the timeline of their activities, dating back to October 2020. The large number of samples identified through this attacker's repository are not found in OSINT sources such as VirusTotal, thereby shedding new light on the group's activities and capabilities.
The main goal is cyber espionage
The main goal of APT37 is cyber espionage, which is done through data exfiltration of selected file formats. The group proliferates the PowerShell-based "Chinotto backdoor" via various attack vectors. File formats abused include Windows Help files (CHM), HTA, HWP (Hancom Office), XLL (MS Excel Add-in), and macro-based MS Office files. The group is also involved in phishing attacks designed to steal credentials.
The focus of this group is primarily on infecting devices owned by people in South Korea in order to conduct espionage and steal data there. Interestingly, it also uses an MS Office Excel add-in for this, which was only observed in March 2023. This shows that the group is constantly evolving and adding new attack patterns and techniques. A current hook from geopolitics, current events, education, finance or insurance is chosen to spread the malware.
More at Zscaler.com
About Zscaler Zscaler accelerates digital transformation so customers can become more agile, efficient, resilient, and secure. Zscaler Zero Trust Exchange protects thousands of customers from cyberattacks and data loss by securely connecting people, devices, and applications anywhere. The SSE-based Zero Trust Exchange is the world's largest inline cloud security platform, distributed across 150+ data centers around the world.