Is my host protected against APT37?

A chain that uses a multi-stage malicious Word document to evade defenses and exfiltrate data. The macro enabled document will first load a previously staged C2 config file and execute mshta.exe to run a second stage HTA payload which downloads a secondary Pneuma Agent as the third stage. This chain will also execute and collect keystrokes and exfiltrate data using OneDrive. Similar behaviours were observed in APT37 when targetting South Korean users, North Korean defectors, policy makers, journalists and human rights activists.
This week, we're looking at the lesser known, but recently active threat actor group called APT37:
  • Is my host protected against APT37?

Is my host protected against APT37?

APT37 (also known as "Reaper") is a cyber espionage group believed to be operating out of North Korea. The group has been active since at least 2012 and has been linked to a number of cyber attacks against a range of targets, including governments, military organizations, financial institutions, and media companies in various countries.
APT37 is known for using a range of tactics and techniques, including the recent use of zero-day vulnerabilities and spearphishing attacks, to compromise target systems and exfiltrate sensitive data. APT37 has been particularly active in targeting South Korean organizations and individuals, as well as North Korean defectors, policy makers, journalists, and human rights activists. It is believed that the group is backed by the North Korean government and operates on its behalf.

Testing

Execute Operator’s Is my host protected against APT37? TTP on each host in your environment to test if you are vulnerable.

This chain is configured to stage a multi-stage malicious Word document to evade defenses and exfiltrate data. The macro enabled document will first load a previously staged C2 config file and execute mshta.exe to run a second stage HTA payload which downloads a secondary Pneuma Agent as the third stage. This chain will also collect key stroke and clipboard data and exfiltrate it using OneDrive as part of post-exploitation activites. If the host is protected, the malicious Word document should be blocked or killed.

Remediation

To protect yourself from APT37, you should monitor for suspicious child process of Microsoft Office appllications, block and kill any suspicious related processes, and monitor for outbound connections attempting to exfiltrate data.

Check out the TTPs Is my host protected against APT37? on the Prelude chains website.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Octavia: https://twitter.com/VVX7
Waseem: https://twitter.com/gerbsec

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator

TTPs

Stage Operator networking fact file
Stage and launch a malicious Word document
Collect keystroke/keyboard data
Exfiltrate data to OneDrive

Tags

apt29 scenario 1, apt29, apt29 scenario 2