CozyDuke APT group believed to have targeted White House and State Department
CozyDuke APT group believed to have targeted White House and State Department

Reputed North Korean APT group TEMP.Reaper, the alleged culprit behind a zero-day ROKRAT malware campaign leveraging Adobe Flash Player vulnerability CVE-2018-4878, has been expanding its global target list despite remaining largely under the radar, according to a new FireEye research report.

Reaper, which FireEye is also calling APT37, has primarily targeted South Koreans with its recent Flash campaign. But in 2017, the adversary – also known as Group123 – reached beyond the Korean peninsula, reports FireEye. Among its targets were a Middle Eastern financial company that provides telecommunications services, a Vietnamese trading and transport company, and also possibly individuals who help Olympics organizations procure resources for athletes.

One possible reason the Middle Eastern financial firm was chosen as the target of an APT37 spear phishing campaign was because a business relationship it had formed with an unnamed North Korean company had publicly soured, FireEye suggests.  Reportedly, Reaper actors sent one of the company's board members a fake bank liquidation letter, in the form an attachment that exploited the Microsoft Office vulnerability CVE-2017-0199 to deliver “SHUTTERSPEED” backdoor malware, capable of harvesting system information, grabbing screenshots and downloading other malicious files.

Other recent targets, according to FireEye, include individuals tied to North Korean human rights issues and strategic organizations, an unnamed entity in Japan linked to United Nations sanctioning and human rights missions, and South Korean academic and strategic institutions.

“North Korea has repeatedly demonstrated a willingness to leverage its cyber capabilities for a variety of purposes, undeterred by notional redlines and international norms. Though they have primarily tapped other tracked suspected North Korean teams to carry out the most aggressive actions, APT37 is an additional tool available to the regime, perhaps even desirable for its relative obscurity,” FireEye states in its report. “We anticipate APT37 will be leveraged more and more in previously unfamiliar roles and regions, especially as pressure mounts on their sponsor.”

Just last month, Cisco Systems' Talos research team similarly profiled APT37's 2017 activities in its own research blog post. Additional reports linking the Adobe Flash attack to Reaper then broke in early February.

FireEye has also observed Reaper grow in sophistication, noting a “high operational tempo and specialized expertise,” with a particular affinity for quickly utilizing exploits – especially Flash ones – shortly after they are publicized. The group is also known to use a combination of spear phishing emails, website compromises, and torrent file-sharing sites to distribute malware.

Interestingly, one of the strongest clues that APT37 acts in support of the North Korean government was reportedly uncovered after the presumed developer of several Reaper malware payloads mistakenly disclosed his own personal data, revealing he was operating from an IP address and access point linked to the dictatorial nation. FireEye also has noted that the compilation times of APT37 malware programs are consistent with North Korea's typical workday hours, and that Reaper's targets are consistent with North Korean objectives.

FireEye reports that APT37 generally favors malware that exfiltrates information from victims – although one of its payloads, RUHAPPY, can also serve as a destructive disk wiper.

Wary of Pyongyang's cyber aggression and threats of nuclear strikes, the U.S. may be developing plans to strike North Korean targets with a “bloody nose” attack that relies primarily on cyberwarfare tactics, as opposed to conventional weapons, according a report in Foreign Policy magazine that cites two former intelligence officials. The article further states that the U.S. government has spent the last six months installing fiber cables, remote bases, and listening posts in Japan and South Korea, as a means for hackers to attempt to access North Korea's Internet.