North Korea hacker group APT37 is using zero-day vulnerability to attack Japan, Vietnam and the Middle East countries

by do son · Published February 27, 2018 · Updated November 4, 2024

On February 2, 2018, a research team from FireEye, a cyber-security company, published a blog detailing how a hacker group suspected of being associated with North Korea used the Adobe Flash Zero-Day Vulnerability (CVE-2018-4878) to launch a network espionage. Now, FireEye tracks the operating organization behind the event as APT37 (aka “Reaper”).

According to FireEye’s analysis of recent APT37 activities, FireEye said the organization is expanding its scope of business and increasing sophistication, including more zero-day vulnerabilities and the use of malware such as hard disk erasing devices.

FireEye strongly believes that APT37’s activities are linked to the DPRK because the interests pursued by the DPRK based on the malware it uses are shared with the common interests pursued by North Korea. In addition, activities conducted by the APT37 are also highly consistent with the activities of the publicly reported hacker groups Scarcruft and Group123.

APT37 has been active at least since 2012, initially focusing its activities in South Korea. However, since 2017, its activities have been extended to Japan, Vietnam and the Middle East. Its areas of involvement also extend to various vertical industries, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare.

The reason why APT37 attack complexity is being strengthened, which is mainly reflected in the use of loopholes. In the attacks launched before APT37, they mainly used vulnerabilities in the Hangul Word Processor (HWP). However, from their recent activity, they already have the ability to leverage Adobe Flash and other zero-day vulnerabilities and can quickly exploit the vulnerability once it is announced. As confirmed by FireEye, at least since November 2017, APT37 has begun utilizing the Adobe Flash Zero-day Vulnerability CVE-2018-4878 to distribute malware.

FireEye emphasized that they had underestimated the APT37’s ability before. In the early days of APT37, they used only those malware used for initial intrusion or disclosure. However, in the follow-up activities, they have begun to use a variety of custom or self-developed malware. In addition to espionage, some malicious software is also devastating, such as hard disk eraser.