APT37 Expands TTPs

Analysis from cybersecurity firm FireEye recently revealed that North Korean cyber-espionage group APT37, also known as “Reaper,” is exploiting an Adobe Flash Player zero-day vulnerability CVE-2018-4878, previously reported in the NJCCIC Weekly Bulletin. Additionally, FireEye observed that recent APT37 activity has expanded in scope and toolset, deploying wiper malware, such as RUHAPPY, and exploiting multiple zero-day vulnerabilities. The group targets public and private sector entities, primarily those based in South Korea; however, entities in Japan, Vietnam, and the Middle East have also been targeted. The group employs social engineering tactics, web compromises, and torrent file-sharing sites to distribute malware to victims. APT37 often exploits vulnerabilities in the Hangul Word Processor, an application widely-used in South Korea, during their campaigns. FireEye notes that APT37 is aligned with activity carried out by Scarcruft and Group123The NJCCIC recommends those who may be considered high-value targets for cyber-espionage campaigns review the FireEye report for more information on APT37 activity, including tactics, techniques, and procedures (TTPs) associated with the group. Organizations are strongly encouraged to implement a defense-in-depth cybersecurity strategy, employ the Principle of Least Privilege, and establish strong identity and access management controls, including multi-factor authentication.