ATK4

Presumed Origin: North Korea < Back

Alias: APT 37, APT37, Dark Seoul, DarkSeoul, Group 123, Group123, Operation Daybreak, Operation Erebus, Operation Erebus., Reaper, Reaper Group, Red Eyes, Ricochet Chollima, ScarCruft, StarCruft, TEMP.Reaper, Venus 121

ATK4  (aka: Reaper by FireEye, TEMP.Reaper by FireEye, APT 37 by Mandiant,  Ricochet Chollima by CrowdStrike, ScarCruft by Kaspersky, Thallium by Microsoft, Group 123 by Talos, Red Eyes by AhnLab, Geumseong121, Venus 121 by ESRC, Hermit by Tencent, ITG10 by IBM) is a North Korean cyber espionage group active since at least 2012.

 

This group targets the public and private sectors mainly in South Korea. According to FireEye, the group's primary mission is to collect secret intelligence in support of North Korea's strategic military, political and economic interests.

 

This actor is considered competent and resourceful.

 

Focusing on South Korean targets, this group can be compared to Unit 91 which has similar objectives. While from 2014 to 2017, ATK4 mainly targeted the South Korean government, defense, its industrial fabric and the media sector, ATK4 moved to more international targets with further attacks against the Middle East, Japan and the Vietnam. These new targets are all tied to North Korean interests.

 

This group uses spear phishing, strategic web compromises, or torrent file sharing as an initial infection vector. From 2014 to 2017, their decoy ducos were written in Korean and related to a theme relating to the Korean Peninsula. It uses various legitimate platforms like C2 and has access to several 0-day vulnerabilities.

 

The group can integrate newly revealed vulnerabilities into their toolset. This can be explained with the collaboration of different units within the North Korean General Reconnaissance Bureau.

 

ATK4 uses a C2 infrastructure made up of compromised servers, a messaging platform, cloud services and social networks to communicate or deploy its malware and avoid detection.

 

References :

 

REFERENCES

Target sector

  • Aerospace
  • Chemicals
  • Defense
  • Energy
  • Government and administration agencies
  • Healthcare
  • High-Tech
  • Manufacturing
  • Military
  • Political Organizations
  • Transportation

Target countries

  • China
  • Nepal
  • Russian Federation
  • Romania
  • Japan
  • Korea, Republic of
  • India
  • Hong Kong
  • Kuwait
  • United Kingdom Of Great Britain And Northern Ireland
  • United States Of America
  • Viet Nam

Attack pattern

  • T1003 - Credential Dumping
  • T1005 - Data from Local System
  • T1012 - Query Registry
  • T1027 - Obfuscated Files or Information
  • T1027.003 - Steganography
  • T1033 - System Owner/User Discovery
  • T1036.001 - Invalid Code Signature
  • T1041 - Exfiltration Over C2 Channel
  • T1041 - Exfiltration Over Command and Control Channel
  • T1043 - Commonly Used Port
  • T1045 - Software Packing
  • T1055 - Process Injection
  • T1056 - Input Capture
  • T1056.001 - Keylogging
  • T1057 - Process Discovery
  • T1059 - Command-Line Interface
  • T1059.003 - Windows Command Shell
  • T1059.005 - Visual Basic
  • T1060 - Registry Run Keys / Startup Folder
  • T1063 - Security Software Discovery
  • T1064 - Scripting
  • T1070.004 - File Deletion
  • T1071 - Standard Application Layer Protocol
  • T1071.001 - Web Protocols
  • T1074 - Data Staged
  • T1082 - System Information Discovery
  • T1083 - File and Directory Discovery
  • T1088 - Bypass User Account Control
  • T1094 - Custom Command and Control Protocol
  • T1102 - Web Service
  • T1102.002 - Bidirectional Communication
  • T1105 - Ingress Tool Transfer
  • T1105 - Remote File Copy
  • T1106 - Execution through API
  • T1113 - Screen Capture
  • T1116 - Code Signing
  • T1120 - Peripheral Device Discovery
  • T1123 - Audio Capture
  • T1173 - Dynamic Data Exchange
  • T1189 - Drive-by Compromise
  • T1192 - Spearphishing Link
  • T1193 - Spearphishing Attachment
  • T1203 - Exploitation for Client Execution
  • T1204 - User Execution
  • T1204.002 - Malicious File
  • T1487 - Disk Structure Wipe
  • T1497 - Virtualization/Sandbox Evasion
  • T1497.001 - System Checks
  • T1518.001 - Security Software Discovery
  • T1529 - System Shutdown/Reboot
  • T1547.001 - Registry Run Keys / Startup Folder
  • T1548.002 - Bypass User Account Control
  • T1555.003 - Credentials from Web Browsers
  • T1555.004 - Windows Credential Manager
  • T1559.002 - Dynamic Data Exchange
  • T1561.002 - Disk Structure Wipe
  • T1566.001 - Spearphishing Attachment

Motivation

  • Espionage

Malwares

  • CORALDECK
  • DOGCALL
  • Final1stSpy
  • GELCAPSULE
  • HAPPYWORK
  • KARAE
  • MILKDROP
  • NavRat
  • POORAIM
  • RICECURRY
  • ROKRAT
  • RUHAPPY
  • SHUTTERSPEED
  • SLOWDRIFT
  • SOUNDWAVE
  • WINERACK
  • ZUMKONG
  • GoldBackdoor
  • Chinotto

Vulnerabilities

  • CVE-2013-0808
  • CVE-2013-4979
  • CVE-2014-8439
  • CVE-2015-2387
  • CVE-2015-2419
  • CVE-2015-2545
  • CVE-2015-3105
  • CVE-2015-5119
  • CVE-2015-5122
  • CVE-2015-7645
  • CVE-2016-1019
  • CVE-2016-4117
  • CVE-2017-0199
  • CVE-2018-0802
  • CVE-2018-4878