TT Malware Log

マルウェア / サイバー攻撃 / 解析技術 に関する「個人」の調査・研究・参照ログ

APT37 (まとめ)

【要点】

◎北朝鮮の標的型攻撃組織。北朝鮮・国家安全保障省(MSS)内の一要素


【目次】

概要

【辞書】

◆APT37 (FireEye)
https://www.fireeye.com/current-threats/apt-groups.html

◆APT37 (Malpedia)
https://malpedia.caad.fkie.fraunhofer.de/actor/apt37

◆APT37とは【用語集詳細】 (SOMPO CYBER SECURITY)
https://www.sompocybersecurity.com/column/glossary/apt37

【別名】
攻撃組織名 命名組織
APT37 FireEye
ATK4
Dark Sleeper
FreeMilk
G0067
Group123
InkySquid
Moldy Pisces
Reaper
Red Eyes
Ricochet Chollima
ScarCruft Kaspersky
Sun Team
Venus 121
【Operation名】
Operation名 命名組織
Operation Daybreak
Operation Erebus
【概要】
項目 内容
攻撃対象国 日本、ロシア、ネパール、韓国、中国、インド、クウェート、ルーマニア
【最新情報】

◆APT37 hackers deploy new FadeStealer eavesdropping malware (BleepingComputer, 2023/06/21 16:16)
[APT37ハッカー、新たな盗聴マルウェア「FadeStealer」を展開]
https://www.bleepingcomputer.com/news/security/apt37-hackers-deploy-new-fadestealer-eavesdropping-malware/
https://malware-log.hatenablog.com/entry/2023/06/21/000000_4

記事

【ニュース】

■2016年

◆Flashゼロデイ攻撃、APTグループ「ScarCruft」関与か - EMETで回避可能 (Security NEXT, 2016/06/15)
http://www.security-next.com/070993
http://malware-log.hatenablog.com/entry/2016/06/15/000000_1

◆APT Group Uses Flash Zero-Day to Attack High-Profile Targets (SECURITYWEEK, 2016/06/15)
http://www.securityweek.com/apt-group-uses-flash-zero-day-attack-high-profile-targets
http://malware-log.hatenablog.com/entry/2018-06-15/000000

◆Adobe Flash Player 22.0.0.192 release fixes the Flash Player zero-day vulnerability (CVE-2016-4171) exploited by the APT group dubbed ScarCruft. (Security Affairs, 2016/06/19)
http://securityaffairs.co/wordpress/48531/cyber-crime/flash-zero-day-scarcruft.html
http://malware-log.hatenablog.com/entry/2016/06/19/000000_1


■2018年

◆North Korean hackers belonging to the North Korea Group 123 have conducted at least six different massive malware campaigns during 2017. (Security Affairs, 2018/01/18)
http://securityaffairs.co/wordpress/67895/hacking/north-korea-group-123.html
http://malware-log.hatenablog.com/entry/2018/01/18/000000_8

◆Cisco and FireEye Pointing Finger at North Korea Hacking Group For Adobe Flash 0-Day In The Wild (Security Affairs, 2018/02/05)
http://securityaffairs.co/wordpress/68718/hacking/north-korea-adobe-flash-0day.html
http://malware-log.hatenablog.com/entry/2018/02/05/000000_2

◆THE TOOLSET OF AN ELITE NORTH KOREAN HACKER GROUP ON THE RISE (WIRED, 2018/02/20)
https://www.wired.com/story/north-korean-hacker-group-apt37/
http://malware-log.hatenablog.com/entry/2018/02/20/000000_5

◆North Korean APT Group tracked as APT37 broadens its horizons (Security Affairs, 2018/02/21)
http://securityaffairs.co/wordpress/69339/apt/apt37-broadens-horizons.html
http://malware-log.hatenablog.com/entry/2018/02/21/000000_8

◆北朝鮮ハッカー「APT37」、日本攻撃 制裁情報狙い、米企業分析 (産経新聞, 2018/02/21 07:20)
http://www.sankei.com/world/news/180221/wor1802210005-n1.html
http://malware-log.hatenablog.com/entry/2018/02/21/000000

◆北朝鮮 ハッカー集団、国家ぐるみで日本に攻撃か (毎日新聞, 2018/02/22)
https://mainichi.jp/articles/20180222/ddm/007/030/070000c
http://malware-log.hatenablog.com/entry/2018/02/22/000000_4

◆日本も攻撃対象に、北朝鮮ハッカー集団「APT37」が活発化 (サイバーセキュリティ.com, 2018/02/23)
https://cybersecurity-jp.com/news/22473
http://malware-log.hatenablog.com/entry/2018/02/23/000000_7

◆「サイバー攻撃が起きる度に北に押し付け」…北朝鮮メディアが日米を非難 (Japan Daily NK, 2018/03/08)
https://dailynk.jp/archives/106907
http://malware-log.hatenablog.com/entry/2018/03/08/000000_2

◆北が躍起になるサイバー諜報活動 首脳会談前に情報集め?金正恩氏の焦り見え隠れ (産経新聞, 2018/04/10 07:00)
https://www.sankei.com/world/news/180410/wor1804100001-n1.html
http://malware-log.hatenablog.com/entry/2018/04/10/000000_1

◆北朝鮮悪用のFlash脆弱性、広く悪用される状態に - 海外中心に攻撃が拡大、国内でも (Security NEXT, 2018/04/20)
http://www.security-next.com/092519
http://malware-log.hatenablog.com/entry/2018/04/20/000000_2

◆北朝鮮脱北者を狙ったGoogle Playのマルウェア (ASCII.jp, 2018/05/18 19:00)
http://ascii.jp/elem/000/001/678/1678970/
http://malware-log.hatenablog.com/entry/2018/05/18/000000_3

◆REDDAWN ESPIONAGE CAMPAIGN SHOWS MOBILE APTS ON THE RISE (Threatpost, 2018/05/18 08:42)
https://threatpost.com/reddawn-espionage-campaign-shows-mobile-apts-on-the-rise/132081/
http://malware-log.hatenablog.com/entry/2018/05/18/000000_2

◆NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT (paloalto, 2018/10/01 08:00)
https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/
http://malware-log.hatenablog.com/entry/2018/10/01/000000_1


■2019年

◆北朝鮮の“国家支援型”サイバー攻撃グループ、日本を狙う「APT37」と金融機関を標的にする「APT38」 (Internet Watch, 2019/04/23 12:36)
https://internet.watch.impress.co.jp/docs/news/1181712.html
https://malware-log.hatenablog.com/entry/2019/04/23/000000_7

◆ScarCruft APT Adds Bluetooth Harvester to its Malware Bag of Tricks (ThreatPost, 2019/05/13 12:46)
[ScarCruft APTがBluetooth Harvesterをマルウェアの技法に追加]
https://threatpost.com/scarcruft-apt-bluetooth-harvester/144643/
https://malware-log.hatenablog.com/entry/2019/05/13/000000_13

◆サイバー犯罪グループ「ScarCruft」が、接続されたBluetoothデバイスを識別するマルウェアなどで情報収集を強化 (時事通信, 2019/05/20 16:40)
https://www.jiji.com/jc/article?k=000000130.000011471
https://malware-log.hatenablog.com/entry/2019/05/20/000000_1


■2021年

◆誰がサイバー攻撃を仕掛けるのか? 日本を狙う11の主な攻撃グループ (Codebook, 2021/12/17 05:30)
https://codebook.machinarecord.com/15746/
https://malware-log.hatenablog.com/entry/2021/12/17/000000_14


■2022年

◆North Korean hackers targeting journalists with novel malware (BleepingComputer, 2022/04/25)
[北朝鮮のハッカーが新型マルウェアでジャーナリストを標的に]
https://www.bleepingcomputer.com/news/security/north-korean-hackers-targeting-journalists-with-novel-malware/
https://malware-log.hatenablog.com/entry/2022/04/25/000000_2

◆North Korean hackers attack EU targets with Konni RAT malware (BleepingComputer, 2022/07/23 12:08)
[北朝鮮のハッカーがRATマルウェア「Konni」でEUの標的を攻撃]
https://www.bleepingcomputer.com/news/security/north-korean-hackers-attack-eu-targets-with-konni-rat-malware/
https://malware-log.hatenablog.com/entry/2022/07/23/000000

◆Nation-state Hackers Target Journalists with Goldbackdoor Malware (ThreatPost, 2022/04/26 07:38)
https://threatpost.com/hackers-target-journalists-goldbackdoor/179389/
https://malware-log.hatenablog.com/entry/2022/04/26/000000_5

◆北朝鮮のサイバー犯罪グループ「APT37」がInternet Explorerのゼロデイ脆弱性を突く攻撃を行っていたと判明 (Gigazine, 2022/12/08)
https://gigazine.net/news/20221208-north-korean-apt37-internet-explorer-exploit/
https://malware-log.hatenablog.com/entry/2022/12/08/000000_1


■2023年

◆ステガノグラフィ技術を使ったハングル(HWP)マルウェア:RedEyes(ScarCruft) (Ahnlab, 2023/02/14)
https://asec.ahnlab.com/ko/47622/
https://malware-log.hatenablog.com/entry/2023/02/14/000000_3

◆North Korea's APT37 Targeting Southern Counterpart with New M2RAT Malware (The Hacker News, 2023/02/15)
[北朝鮮のAPT37、新型マルウェア「M2RAT」で韓国を標的にする]
https://thehackernews.com/2023/02/north-koreas-apt37-targeting-southern.html
https://malware-log.hatenablog.com/entry/2023/02/15/000000_1

◆APT37 hackers deploy new FadeStealer eavesdropping malware (BleepingComputer, 2023/06/21 16:16)
[APT37ハッカー、新たな盗聴マルウェア「FadeStealer」を展開]
https://www.bleepingcomputer.com/news/security/apt37-hackers-deploy-new-fadestealer-eavesdropping-malware/
https://malware-log.hatenablog.com/entry/2023/06/21/000000_4

【ブログ】

■2016年

◆CVE-2016-4171 – Adobe Flash Zero-day used in targeted attacks (SecureList, 2016/06/14)
https://securelist.com/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/75082/
http://malware-log.hatenablog.com/entry/2016/06/14/000000_10

◆Operation Daybreak (SECURELIST, 2016/06/17)

Flash zero-day exploit deployed by the ScarCruft APT Group

https://securelist.com/blog/research/75100/operation-daybreak/
http://malware-log.hatenablog.com/entry/2016/06/17/000000_7


■2018年

◆Korea In The Crosshairs (Talos, 2018/01/16)
http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html
http://malware-log.hatenablog.com/entry/2018/01/16/000000_8

◆APT37 (Reaper): The Overlooked North Korean Actor (FireEye, 2018/02/20)
https://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html
http://malware-log.hatenablog.com/entry/2018/02/20/000000_7

◆北朝鮮のサイバー攻撃グループ「APT37」が活発化 (THE ZERO/ONE, 2018/03/02)
https://the01.jp/p0006529/
http://malware-log.hatenablog.com/entry/2018/03/02/000000_3

◆NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea (Talos(CISCO), 2018/05/31)
https://blog.talosintelligence.com/2018/05/navrat.html?m=1
http://malware-log.hatenablog.com/entry/2018/05/31/000000_5

【資料】

■2018年

◆APT37 (REAPER) (FireEye, 2018/02/20)
https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf
http://malware-log.hatenablog.com/entry/2018/02/20/000000_6

◆APT37 (REAPER) (FireEye, 2018/02/21)

知られざる北朝鮮の攻撃グループ

https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt37-JP.pdf
http://malware-log.hatenablog.com/entry/2018/02/21/000000_9

【図表】

■2018年


APT37の標的先
出典: https://the01.jp/p0006529/


「Sun Team(APT37)」により開発されたマルウェアのタイムライン
出典: http://ascii.jp/elem/000/001/678/1678970/


出典: https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html


関連情報

【関連まとめ記事】

全体まとめ
 ◆攻撃組織 / Actor (まとめ)

◆標的型攻撃組織 / APT (まとめ)
https://malware-log.hatenablog.com/entry/APT


【インディケータ情報】

■ハッシュ情報(Sha256)

Sha256 備考
e5f191531bc1c674ea74f8885449f4d934d5f1aa7fd3aaa283fe70f9402b9574 悪質なHWP
4f06eaed3dd67ce31e7c8258741cf727964bd271c3590ded828ad7ba8d04ee57 NavRAT

(以上は Talosの情報: 引用元は https://blog.talosintelligence.com/2018/05/navrat.html?m=1)


■ハッシュ情報(Sha256) - 2016 NavRATサンプル

  • 0257d187be69b9bee0a731437bf050d56d213b50a6fd29dd6664e7969f286ef

(以上は Talosの情報: 引用元は https://blog.talosintelligence.com/2018/05/navrat.html?m=1)


【インディケータ情報】

■ ハッシュ情報(Sha256) - Golden Time

種別 Sha256
Maldoc 7d163e36f47ec56c9fe08d758a0770f1778fa30af68f39aac80441a3f037761e
Maldoc 5441f45df22af63498c63a49aae82065086964f9067cfa75987951831017bd4f
ROKRAT cd166565ce09ef410c5bba40bad0b49441af6cfb48772e7e4a9de3d646b4851c
ROKRAT 051463a14767c6477b6dacd639f30a8a5b9e126ff31532b58fc29c8364604d00


■ ハッシュ情報(Sha256) - Evil New Year

種別 Sha256
Maldoc 281828d6f5bd377f91c6283c34896d0483b08ac2167d34e981fbea871893c919
Dropped 95192de1f3239d5c0a7075627cf9845c91fd397796383185f61dde893989c08a
Dropped 7ebc9a1fd93525fc42277efbccecf5a0470a0affbc4cf6c3934933c4c1959eb1
Dropped 6c372f29615ce8ae2cdf257e9f2617870c74b321651e9219ea16847467f51c9f
Dropped 19e4c45c0cd992564532b89a4dc1f35c769133167dc20e40b2a41fccb881277b
Dropped 3a0fc4cc145eafe20129e9c53aac424e429597a58682605128b3656c3ab0a409
Dropped 7d8008028488edd26e665a3d4f70576cc02c237fffe5b8493842def528d6a1d8
Unpacked 7e810cb159fab5baccee7e72708d97433d92ef6d3ef7d8b6926c2df481ccac2f
Unpacked 21b098d721ea88bf237c08cdb5c619aa435046d9143bd4a2c4ec463dcf275cbe
Unpacked 761454dafba7e191587735c0dc5c6c8ab5b1fb87a0fa44bd046e8495a27850c7
Unpacked 3d442c4457cf921b7a335c0d7276bea9472976dc31af94ea0e604e466596b4e8
Unpacked 930fce7272ede29833abbfb5df4e32eee9f15443542434d7a8363f7a7b2d1f00
Unpacked 4b20883386665bd205ac50f34f7b6293747fd720d602e2bb3c270837a21291b4
Unpacked f080f019073654acbe6b7ab735d3fd21f8942352895890d7e8b27fa488887d08


■ ハッシュ情報(Sha256) - Are You Happy?

種別 Sha256
Wiper 6332c97c76d2da7101ad05f501dc1188ac22ce29e91dab6d0c034c4a90b615bd


■ ハッシュ情報(Sha256) - FreeMilk

種別 Sha256
Office f1419cde4dd4e1785d6ec6d33afb413e938f6aece2e8d55cf6328a9d2ac3c2d0
HTA a585849d02c94e93022c5257b162f74c0cdf6144ad82dd7cf7ac700cbfedd84f
JS 1893af524edea4541c317df288adbf17ae4fcc3a30d403331eae541281c71a3c
PoohMilk 35273d6c25665a19ac14d469e1436223202be655ee19b5b247cb1afef626c9f2
Freenki 7f35521cdbaa4e86143656ff9c52cef8d1e5e5f8245860c205364138f82c54df
Freenki 2016 99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5


■ ハッシュ情報(Sha256) - North Korean Human Rights

種別 Sha256
Maldoc 71e26822421f7ed2e34cc092eaeba8a504b5d576c7fd54aa6975c2e2db0f824
Dropper a29b07a6fe5d7ce3147dd7ef1d7d18df16e347f37282c43139d53cce25ae7037
Dropper eb6d25e08b2b32a736b57f8df22db6d03dc82f16da554f4e8bb67120eacb1d14
Dropper 9b383ebc1c592d5556fec9d513223d4f99a5061591671db560faf742dd68493f
ROKRAT b3de3f9309b2f320738772353eb724a0782a1fc2c912483c036c303389307e2e


■ ハッシュ情報(Sha256) - Evil New Year 2018

種別 Sha256
Maldoc f068196d2c492b49e4aae4312c140e9a6c8c61a33f61ea35d74f4a26ef263ead
PNG bdd48dbed10f74f234ed38908756b5c3ae3c79d014ecf991e31b36d957d9c950
ROKRAT 3f7827bf26150ec26c61d8dbf43cdb8824e320298e7b362d79d7225ab3d655b1

Copyright (C) 谷川哲司 (Tetsuji Tanigawa) 1997 - 2023