TT Malware Log

マルウェア / サイバー攻撃 / 解析技術 に関する個人の調査・研究ログ

APT37 (まとめ)

f:id:tanigawa:20180304133030p:plain
APT37の標的先
出典: https://the01.jp/p0006529/


【概要】

  • 別名
    • APT37 (FireEye)
    • Reaper
    • Group123
    • ScarCruft (Kaspersky)
    • Ricochet Chollima
    • Red Eyes
    • Dark Sleeper
    • FreeMilk
    • Sun Team
  • 攻撃対象国
    • ロシア、ネパール、韓国、中国、インド、クウェート、ルーマニア


【公開情報】

◆APT37 (FireEye)
https://www.fireeye.com/current-threats/apt-groups.html

◆Fear The Reaper - North Korean Group APT37
https://exchange.xforce.ibmcloud.com/collection/Fear-The-Reaper-North-Korean-Group-APT37-dc96e8bdff7573efb87d43d7584c1fbc


【ニュース】

◆Flashゼロデイ攻撃、APTグループ「ScarCruft」関与か - EMETで回避可能 (Security NEXT, 2016/06/15)
http://www.security-next.com/070993
http://malware-log.hatenablog.com/entry/2016/06/15/000000_1

◆APT Group Uses Flash Zero-Day to Attack High-Profile Targets (SECURITYWEEK, 2016/06/15)
http://www.securityweek.com/apt-group-uses-flash-zero-day-attack-high-profile-targets
http://malware-log.hatenablog.com/entry/2018-06-15/000000

◆Adobe Flash Player 22.0.0.192 release fixes the Flash Player zero-day vulnerability (CVE-2016-4171) exploited by the APT group dubbed ScarCruft. (Security Affairs, 2016/06/19)
http://securityaffairs.co/wordpress/48531/cyber-crime/flash-zero-day-scarcruft.html
http://malware-log.hatenablog.com/entry/2016/06/19/000000_1

◆North Korean hackers belonging to the North Korea Group 123 have conducted at least six different massive malware campaigns during 2017. (Security Affairs, 2018/01/18)
http://securityaffairs.co/wordpress/67895/hacking/north-korea-group-123.html
http://malware-log.hatenablog.com/entry/2018/01/18/000000_8

◆Cisco and FireEye Pointing Finger at North Korea Hacking Group For Adobe Flash 0-Day In The Wild (Security Affairs, 2018/02/05)
http://securityaffairs.co/wordpress/68718/hacking/north-korea-adobe-flash-0day.html
http://malware-log.hatenablog.com/entry/2018/02/05/000000_2

◆THE TOOLSET OF AN ELITE NORTH KOREAN HACKER GROUP ON THE RISE (WIRED, 2018/02/20)
https://www.wired.com/story/north-korean-hacker-group-apt37/
http://malware-log.hatenablog.com/entry/2018/02/20/000000_5

◆North Korean APT Group tracked as APT37 broadens its horizons (Security Affairs, 2018/02/21)
http://securityaffairs.co/wordpress/69339/apt/apt37-broadens-horizons.html
http://malware-log.hatenablog.com/entry/2018/02/21/000000_8

◆北朝鮮ハッカー「APT37」、日本攻撃 制裁情報狙い、米企業分析 (産経新聞, 2018/02/21 07:20)
http://www.sankei.com/world/news/180221/wor1802210005-n1.html
http://malware-log.hatenablog.com/entry/2018/02/21/000000

◆北朝鮮 ハッカー集団、国家ぐるみで日本に攻撃か (毎日新聞, 2018/02/22)
https://mainichi.jp/articles/20180222/ddm/007/030/070000c
http://malware-log.hatenablog.com/entry/2018/02/22/000000_4

◆日本も攻撃対象に、北朝鮮ハッカー集団「APT37」が活発化 (サイバーセキュリティ.com, 2018/02/23)
https://cybersecurity-jp.com/news/22473

◆「サイバー攻撃が起きる度に北に押し付け」…北朝鮮メディアが日米を非難 (Japan Daily NK, 2018/03/08)
https://dailynk.jp/archives/106907

◆北が躍起になるサイバー諜報活動 首脳会談前に情報集め?金正恩氏の焦り見え隠れ (産経新聞, 2018/04/10 07:00)
https://www.sankei.com/world/news/180410/wor1804100001-n1.html
http://malware-log.hatenablog.com/entry/2018/04/10/000000_1

◆北朝鮮悪用のFlash脆弱性、広く悪用される状態に - 海外中心に攻撃が拡大、国内でも (Security NEXT, 2018/04/20)
http://www.security-next.com/092519

◆北朝鮮脱北者を狙ったGoogle Playのマルウェア (ASCII.jp, 2018/05/18 19:00)
http://ascii.jp/elem/000/001/678/1678970/


【ブログ】

◆CVE-2016-4171 – Adobe Flash Zero-day used in targeted attacks (SecureList, 2016/06/14)
https://securelist.com/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/75082/
http://malware-log.hatenablog.com/entry/2016/06/14/000000_10

◆Operation Daybreak (SECURELIST, 2016/06/17)

Flash zero-day exploit deployed by the ScarCruft APT Group

https://securelist.com/blog/research/75100/operation-daybreak/
http://malware-log.hatenablog.com/entry/2016/06/17/000000_7

◆Korea In The Crosshairs (Talos, 2018/01/16)
http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html

◆APT37 (Reaper): The Overlooked North Korean Actor (FireEye, 2018/02/20)
https://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html
http://malware-log.hatenablog.com/entry/2018/02/20/000000_7

◆北朝鮮のサイバー攻撃グループ「APT37」が活発化 (THE ZERO/ONE, 2018/03/02)
https://the01.jp/p0006529/
http://malware-log.hatenablog.com/entry/2018/03/02/000000_3

◆NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea (Talos(CISCO), 2018/05/31)
https://blog.talosintelligence.com/2018/05/navrat.html?m=1


【資料】

◆APT37 (REAPER) (FireEye, 2018/02/20)
https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf
http://malware-log.hatenablog.com/entry/2018/02/20/000000_6

◆APT37 (REAPER) (FireEye, 2018/02/21)

知られざる北朝鮮の攻撃グループ

https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt37-JP.pdf
http://malware-log.hatenablog.com/entry/2018/02/21/000000_9


【参考情報】

f:id:tanigawa:20180522035822p:plain
「Sun Team(APT37)」により開発されたマルウェアのタイムライン
出典: http://ascii.jp/elem/000/001/678/1678970/



【インディケータ情報】

■ハッシュ情報(Sha256)

Sha256 備考
e5f191531bc1c674ea74f8885449f4d934d5f1aa7fd3aaa283fe70f9402b9574 悪質なHWP
4f06eaed3dd67ce31e7c8258741cf727964bd271c3590ded828ad7ba8d04ee57 NavRAT

(以上は Talosの情報: 引用元は https://blog.talosintelligence.com/2018/05/navrat.html?m=1)


■ハッシュ情報(Sha256) - 2016 NavRATサンプル

  • 0257d187be69b9bee0a731437bf050d56d213b50a6fd29dd6664e7969f286ef

(以上は Talosの情報: 引用元は https://blog.talosintelligence.com/2018/05/navrat.html?m=1)


Copyright (C) 谷川哲司 (Tetsuji Tanigawa) 1997 - 2017