APT37 Hackers Actively Conducting Reconnaissance To Gather Targets’ Data

The state-sponsored cybersecurity threat group known as APT37 has been observed carrying out sophisticated reconnaissance activities against South Korean targets.

The group, believed to be backed by North Korea, is focusing its cyberespionage efforts on various entities, including North Korean human rights groups, defectors, journalists covering North Korea, and experts in fields such as unification, national defense, foreign affairs, and security.

A recent analysis by the Genius Security Center (GSC) has uncovered a series of carefully orchestrated reconnaissance campaigns conducted by APT37.

These operations aim to gather crucial information about potential targets, such as IP addresses, web browser details, and operating system data.

Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs

APT37 Reconnaissance Targets

The threat actors are employing a range of tactics to evade detection and infiltrate target systems. One notable strategy involves using shortcut (lnk) files as the primary vector for delivering malicious payloads.

In April, the group disguised an attack as a “North Korea Trends” document containing a hidden RoKRAT malware module.

This module was designed to search for and collect various document types and smartphone recording files from compromised systems.

The hackers have also been observed using legitimate-looking emails to conduct reconnaissance. In some cases, they send normal documents to lower suspicion levels or prompt replies, allowing them to gather additional information for future attacks.

The group has impersonated various personas, including former government officials, journalists, and North Korean human rights experts, to gain the trust of their targets.

APT37’s infrastructure has revealed sophisticated techniques, such as the use of web beacons embedded in emails to track user interactions and gather data on recipients’ IP addresses and browser information.

This collected data is then analyzed to refine their targeting and infiltration strategies, reads the GSC report.

Interestingly, some of the IP addresses used by the threat actors have been linked to North Korea-related virtual asset threat activities, as mentioned in a UN Security Council Report.

This connection further strengthens the attribution of these campaigns to North Korean state-sponsored hackers.

To combat these evolving threats, cybersecurity experts recommend the implementation of advanced Endpoint Detection and Response (EDR) solutions.

These tools can help organizations identify fileless attacks, detect abnormal behaviors, and track the step-by-step process of threats entering target systems.

As APT37 continues to refine its tactics and expand its targeting, organizations and individuals in South Korea and beyond must remain vigilant.

Staying informed about the latest cyber threat trends and implementing robust security measures are crucial steps in defending against these sophisticated state-sponsored attacks.

As geopolitical tensions continue to play out in the digital realm, the need for advanced cybersecurity measures and international cooperation in combating such threats becomes increasingly apparent.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!