The state sponsored hacking group has been found surveilling victims and collecting huge amounts of sensitive data.
APT37, a North Korean hacking group, has used highly customizable malware to launch attacks against persons of interest – including human rights activists, journalists and North Korean defectors.
The group, also known as ScarCruft and Reaper, employs smishing (fake texts pretending to be from reputable companies) and spear-phishing (fake emails pretending to come from a trusted sender) campaigns to deliver the malware, called Chinotto, onto Windows and Android devices.
A team of Kaspersky researchers discovered a recent APT37 campaign. The hacking group was able to deploy malware and subsequently gain control over compromised devices – and gather user data which would ultimately be sent back to the hacker-owned servers. APT37 was also purportedly able to surveil users with screenshots and dispense new payloads.
APT37, ScarCruft, Reaper
APT37 has been an infamous and international threat since 2012, and FireEye, a US cybersecurity company, has confidently linked the group to the North Korean government.
The APT37 group predominantly targets North Korean defectors and journalists reporting on the regime, although any individual denoted as a person of interest by the North Korean government could feasibly be marked for surveillance.
During Kaspersky's investigation of the recent Chinotto attack, the team found the hackers installed a backdoor on victim's devices well after their first intrusions – and one instance saw hackers waiting as long as six months to install the Chinotto malware.
Once installed, the malware allowed hackers to access personal data from devices belonging to victims who were, additionally, subject to months of surveillance. Kaspersky's report confirmed that the operator behind the Chinotto attack extracted screenshots between August 6th and September 8th of 2021.
Given the customizable nature of the malware, APT37 hackers can create custom variants to dupe their victims and evade detection. Kaspersky researchers even uncovered evidence of multiple payloads being deployed to the same infected device.
Sensitive information gained in the attacks was sent to web servers located predominantly in South Korea. Chinotto is able to gather a startling amount of information from Windows and Android devices, including text messages, call logs, audio recordings, and contact details – which can then be used to conduct smishing campaigns.
APT37 has been known to take advantage of stolen credentials to target fresh victims via text, email, and social media, and perpetuate a cycle of devastating cybercrime.
An emerging menace
Kaspersky undertook its research into the APT37 campaign by "providing support to human rights activists and defectors from North Korea against an actor seeking to surveil and track them". Unfortunately, instances like these are far too common across North Korea, and often affect individuals without the means or tools to defend themselves against insidious cyberattacks.
Until recently, APT37 has maintained a lower profile than other North Korean hacking groups – the most infamous of which is known as Lazarus. Lazarus has been responsible for a number of aggressive digital heists over the last few years, including a high-profile attack on Sony Pictures in 2014.
However, whilst APT37 is currently not as well-known as Lazarus, there's no reason to assume that the group is any less skilled or ambitious – in fact, since 2017, the group has targeted a Japanese organization connected to UN sanction enforcement and a Middle Eastern business involved in a fractious dispute with the North Korean government.
It's likely that, being sponsored by North Korea's regime, the hacking group could be directed to several specific purposes that will continue to evolve along with the interests of the oppressive state.