TT Malware Log

マルウェア / サイバー攻撃 / 解析技術 に関する「個人」の調査・研究・参照ログ

APT37 (まとめ)

概要

【別名】

攻撃組織名 命名組織
APT37 FireEye
Reaper
Group123
ScarCruft Kaspersky
Ricochet Chollima
Red Eyes
Dark Sleeper
FreeMilk
Sun Team


【概要】

攻撃対象国 ロシア、ネパール、韓国、中国、インド、クウェート、ルーマニア


【辞典】

◆APT37 (FireEye)
https://www.fireeye.com/current-threats/apt-groups.html


【ニュース】

◆Flashゼロデイ攻撃、APTグループ「ScarCruft」関与か - EMETで回避可能 (Security NEXT, 2016/06/15)
http://www.security-next.com/070993
http://malware-log.hatenablog.com/entry/2016/06/15/000000_1

◆APT Group Uses Flash Zero-Day to Attack High-Profile Targets (SECURITYWEEK, 2016/06/15)
http://www.securityweek.com/apt-group-uses-flash-zero-day-attack-high-profile-targets
http://malware-log.hatenablog.com/entry/2018-06-15/000000

◆Adobe Flash Player 22.0.0.192 release fixes the Flash Player zero-day vulnerability (CVE-2016-4171) exploited by the APT group dubbed ScarCruft. (Security Affairs, 2016/06/19)
http://securityaffairs.co/wordpress/48531/cyber-crime/flash-zero-day-scarcruft.html
http://malware-log.hatenablog.com/entry/2016/06/19/000000_1

◆North Korean hackers belonging to the North Korea Group 123 have conducted at least six different massive malware campaigns during 2017. (Security Affairs, 2018/01/18)
http://securityaffairs.co/wordpress/67895/hacking/north-korea-group-123.html
http://malware-log.hatenablog.com/entry/2018/01/18/000000_8

◆Cisco and FireEye Pointing Finger at North Korea Hacking Group For Adobe Flash 0-Day In The Wild (Security Affairs, 2018/02/05)
http://securityaffairs.co/wordpress/68718/hacking/north-korea-adobe-flash-0day.html
http://malware-log.hatenablog.com/entry/2018/02/05/000000_2

◆THE TOOLSET OF AN ELITE NORTH KOREAN HACKER GROUP ON THE RISE (WIRED, 2018/02/20)
https://www.wired.com/story/north-korean-hacker-group-apt37/
http://malware-log.hatenablog.com/entry/2018/02/20/000000_5

◆North Korean APT Group tracked as APT37 broadens its horizons (Security Affairs, 2018/02/21)
http://securityaffairs.co/wordpress/69339/apt/apt37-broadens-horizons.html
http://malware-log.hatenablog.com/entry/2018/02/21/000000_8

◆北朝鮮ハッカー「APT37」、日本攻撃 制裁情報狙い、米企業分析 (産経新聞, 2018/02/21 07:20)
http://www.sankei.com/world/news/180221/wor1802210005-n1.html
http://malware-log.hatenablog.com/entry/2018/02/21/000000

◆北朝鮮 ハッカー集団、国家ぐるみで日本に攻撃か (毎日新聞, 2018/02/22)
https://mainichi.jp/articles/20180222/ddm/007/030/070000c
http://malware-log.hatenablog.com/entry/2018/02/22/000000_4

◆日本も攻撃対象に、北朝鮮ハッカー集団「APT37」が活発化 (サイバーセキュリティ.com, 2018/02/23)
https://cybersecurity-jp.com/news/22473
http://malware-log.hatenablog.com/entry/2018/02/23/000000_7

◆「サイバー攻撃が起きる度に北に押し付け」…北朝鮮メディアが日米を非難 (Japan Daily NK, 2018/03/08)
https://dailynk.jp/archives/106907
http://malware-log.hatenablog.com/entry/2018/03/08/000000_2

◆北が躍起になるサイバー諜報活動 首脳会談前に情報集め?金正恩氏の焦り見え隠れ (産経新聞, 2018/04/10 07:00)
https://www.sankei.com/world/news/180410/wor1804100001-n1.html
http://malware-log.hatenablog.com/entry/2018/04/10/000000_1

◆北朝鮮悪用のFlash脆弱性、広く悪用される状態に - 海外中心に攻撃が拡大、国内でも (Security NEXT, 2018/04/20)
http://www.security-next.com/092519
http://malware-log.hatenablog.com/entry/2018/04/20/000000_2

◆北朝鮮脱北者を狙ったGoogle Playのマルウェア (ASCII.jp, 2018/05/18 19:00)
http://ascii.jp/elem/000/001/678/1678970/
http://malware-log.hatenablog.com/entry/2018/05/18/000000_3

◆REDDAWN ESPIONAGE CAMPAIGN SHOWS MOBILE APTS ON THE RISE (Threatpost, 2018/05/18 08:42)
https://threatpost.com/reddawn-espionage-campaign-shows-mobile-apts-on-the-rise/132081/
http://malware-log.hatenablog.com/entry/2018/05/18/000000_2

◆NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT (paloalto, 2018/10/01 08:00)
https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/
http://malware-log.hatenablog.com/entry/2018/10/01/000000_1


【ブログ】

◆CVE-2016-4171 – Adobe Flash Zero-day used in targeted attacks (SecureList, 2016/06/14)
https://securelist.com/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/75082/
http://malware-log.hatenablog.com/entry/2016/06/14/000000_10

◆Operation Daybreak (SECURELIST, 2016/06/17)

Flash zero-day exploit deployed by the ScarCruft APT Group

https://securelist.com/blog/research/75100/operation-daybreak/
http://malware-log.hatenablog.com/entry/2016/06/17/000000_7

◆Korea In The Crosshairs (Talos, 2018/01/16)
http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html
http://malware-log.hatenablog.com/entry/2018/01/16/000000_8

◆APT37 (Reaper): The Overlooked North Korean Actor (FireEye, 2018/02/20)
https://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html
http://malware-log.hatenablog.com/entry/2018/02/20/000000_7

◆北朝鮮のサイバー攻撃グループ「APT37」が活発化 (THE ZERO/ONE, 2018/03/02)
https://the01.jp/p0006529/
http://malware-log.hatenablog.com/entry/2018/03/02/000000_3

◆NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea (Talos(CISCO), 2018/05/31)
https://blog.talosintelligence.com/2018/05/navrat.html?m=1
http://malware-log.hatenablog.com/entry/2018/05/31/000000_5


【公開情報】

◆Fear The Reaper - North Korean Group APT37
https://exchange.xforce.ibmcloud.com/collection/Fear-The-Reaper-North-Korean-Group-APT37-dc96e8bdff7573efb87d43d7584c1fbc
https://malware-log.hatenablog.com/entry/2016/06/15/000000_2


【資料】

◆APT37 (REAPER) (FireEye, 2018/02/20)
https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf
http://malware-log.hatenablog.com/entry/2018/02/20/000000_6

◆APT37 (REAPER) (FireEye, 2018/02/21)

知られざる北朝鮮の攻撃グループ

https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt37-JP.pdf
http://malware-log.hatenablog.com/entry/2018/02/21/000000_9


【図表】

f:id:tanigawa:20180304133030p:plain
APT37の標的先
出典: https://the01.jp/p0006529/

f:id:tanigawa:20180522035822p:plain
「Sun Team(APT37)」により開発されたマルウェアのタイムライン
出典: http://ascii.jp/elem/000/001/678/1678970/

f:id:tanigawa:20180615201959j:plain
出典: https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html


【関連まとめ記事】

全体まとめ
 ◆攻撃組織 / Actor (まとめ)

◆標的型攻撃組織 / APT (まとめ)
https://malware-log.hatenablog.com/entry/APT


【インディケータ情報】

■ハッシュ情報(Sha256)

Sha256 備考
e5f191531bc1c674ea74f8885449f4d934d5f1aa7fd3aaa283fe70f9402b9574 悪質なHWP
4f06eaed3dd67ce31e7c8258741cf727964bd271c3590ded828ad7ba8d04ee57 NavRAT

(以上は Talosの情報: 引用元は https://blog.talosintelligence.com/2018/05/navrat.html?m=1)


■ハッシュ情報(Sha256) - 2016 NavRATサンプル

  • 0257d187be69b9bee0a731437bf050d56d213b50a6fd29dd6664e7969f286ef

(以上は Talosの情報: 引用元は https://blog.talosintelligence.com/2018/05/navrat.html?m=1)


【インディケータ情報】

■ ハッシュ情報(Sha256) - Golden Time

種別 Sha256
Maldoc 7d163e36f47ec56c9fe08d758a0770f1778fa30af68f39aac80441a3f037761e
Maldoc 5441f45df22af63498c63a49aae82065086964f9067cfa75987951831017bd4f
ROKRAT cd166565ce09ef410c5bba40bad0b49441af6cfb48772e7e4a9de3d646b4851c
ROKRAT 051463a14767c6477b6dacd639f30a8a5b9e126ff31532b58fc29c8364604d00


■ ハッシュ情報(Sha256) - Evil New Year

種別 Sha256
Maldoc 281828d6f5bd377f91c6283c34896d0483b08ac2167d34e981fbea871893c919
Dropped 95192de1f3239d5c0a7075627cf9845c91fd397796383185f61dde893989c08a
Dropped 7ebc9a1fd93525fc42277efbccecf5a0470a0affbc4cf6c3934933c4c1959eb1
Dropped 6c372f29615ce8ae2cdf257e9f2617870c74b321651e9219ea16847467f51c9f
Dropped 19e4c45c0cd992564532b89a4dc1f35c769133167dc20e40b2a41fccb881277b
Dropped 3a0fc4cc145eafe20129e9c53aac424e429597a58682605128b3656c3ab0a409
Dropped 7d8008028488edd26e665a3d4f70576cc02c237fffe5b8493842def528d6a1d8
Unpacked 7e810cb159fab5baccee7e72708d97433d92ef6d3ef7d8b6926c2df481ccac2f
Unpacked 21b098d721ea88bf237c08cdb5c619aa435046d9143bd4a2c4ec463dcf275cbe
Unpacked 761454dafba7e191587735c0dc5c6c8ab5b1fb87a0fa44bd046e8495a27850c7
Unpacked 3d442c4457cf921b7a335c0d7276bea9472976dc31af94ea0e604e466596b4e8
Unpacked 930fce7272ede29833abbfb5df4e32eee9f15443542434d7a8363f7a7b2d1f00
Unpacked 4b20883386665bd205ac50f34f7b6293747fd720d602e2bb3c270837a21291b4
Unpacked f080f019073654acbe6b7ab735d3fd21f8942352895890d7e8b27fa488887d08


■ ハッシュ情報(Sha256) - Are You Happy?

種別 Sha256
Wiper 6332c97c76d2da7101ad05f501dc1188ac22ce29e91dab6d0c034c4a90b615bd


■ ハッシュ情報(Sha256) - FreeMilk

種別 Sha256
Office f1419cde4dd4e1785d6ec6d33afb413e938f6aece2e8d55cf6328a9d2ac3c2d0
HTA a585849d02c94e93022c5257b162f74c0cdf6144ad82dd7cf7ac700cbfedd84f
JS 1893af524edea4541c317df288adbf17ae4fcc3a30d403331eae541281c71a3c
PoohMilk 35273d6c25665a19ac14d469e1436223202be655ee19b5b247cb1afef626c9f2
Freenki 7f35521cdbaa4e86143656ff9c52cef8d1e5e5f8245860c205364138f82c54df
Freenki 2016 99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5


■ ハッシュ情報(Sha256) - North Korean Human Rights

種別 Sha256
Maldoc 71e26822421f7ed2e34cc092eaeba8a504b5d576c7fd54aa6975c2e2db0f824
Dropper a29b07a6fe5d7ce3147dd7ef1d7d18df16e347f37282c43139d53cce25ae7037
Dropper eb6d25e08b2b32a736b57f8df22db6d03dc82f16da554f4e8bb67120eacb1d14
Dropper 9b383ebc1c592d5556fec9d513223d4f99a5061591671db560faf742dd68493f
ROKRAT b3de3f9309b2f320738772353eb724a0782a1fc2c912483c036c303389307e2e


■ ハッシュ情報(Sha256) - Evil New Year 2018

種別 Sha256
Maldoc f068196d2c492b49e4aae4312c140e9a6c8c61a33f61ea35d74f4a26ef263ead
PNG bdd48dbed10f74f234ed38908756b5c3ae3c79d014ecf991e31b36d957d9c950
ROKRAT 3f7827bf26150ec26c61d8dbf43cdb8824e320298e7b362d79d7225ab3d655b1

Copyright (C) 谷川哲司 (Tetsuji Tanigawa) 1997 - 2019