Threat Watch

North Korean Hackers Resume Campaign After December Takedown

APT37/Geumseong121: A Microsoft operation in December 2019 took down 50 websites known to be affiliated with North Korean threat group APT37. According to researchers from South Korea-based security company ESTsecurity Response Center (ESRC), they have now found a new campaign that started in March 2020, which they attribute to APT37. The campaign has been called “Operation Spy Cloud” by researchers because it uses popular cloud servers such as Google Drive and PickCloud to disguise the network communication with the malware, blending in with legitimate traffic to evade detection by security teams. The campaign targeted individuals through spear-phishing emails, enticing victims to click on links to information about North Korean refugees. The links actually lead to malicious documents and spreadsheet files including .doc, .xls to .hwp, which is a word processor format used by the Korean Government, and utilize Visual Basic for Applications (VBA) macro files to install malware on victims’ computers. The malware connects to the Command and Control (C2) server using Google Drive and attempts to share system information to PickCloud. After this is done, APT37 is able to install additional backdoors.

ANALYST NOTES

It is difficult for network-based security sensors to detect malware communicating with public cloud service providers such as Google, because so much legitimate network traffic also goes to Google’s servers and all of it is encrypted. It is important to also use an Endpoint Detection and Response (EDR) solution to have visibility into unusual behavior on workstations and servers, including macro-enabled document files that may give attackers remote access. ESRC researchers attributed these attacks to APT37 based on the tactics, techniques, and procedures used in this campaign. Similar coding techniques were found in this campaign as in previous for APT37 and the email address that was used to register cloud services was similar to an account the group had used before. Researchers are unclear if the attackers managed to leverage any information from people throughout this campaign or if there is a financial motive in these attacks, which is common amongst North Korean threat actors. More information can be read here: https://www.cyberscoop.com/apt37-geumseong121-north-korea-hackers-estsecurity/