North Korean Reaper APT uses zero-day vulnerabilities to spy on governments

The often-overlooked hacking group appears to be backed by the North Korean government.
Written by Charlie Osborne, Contributing Writer

Video: Job-offer malware linked to North Korea chases bitcoin boom

A hacking group has been utilizing an array of zero-day vulnerabilities to conduct surveillance on behalf of North Korea, researchers have warned.

According to cybersecurity firm FireEye, the advanced persistent threat (APT) group, dubbed "Reaper," uses a range of zero-day vulnerabilities and malware to carry out attacks against victims related to the North Korean government's interests.

On Tuesday, FireEye said in a blog post that Reaper primarily targets South Korea. However, Japan, Vietnam, and the Middle East are also now in the group's sights.

In addition to government targets, the group, also known as APT37, strikes industrial players such as those in the chemical, military, electronics, aerospace, automotive, healthcare, and manufacturing sectors.

In a report (.PDF) documenting the firm's findings, FireEye says that Reaper's primary goal is to gather intelligence valuable to the North Korean government.

Reaper has likely been active since 2012. While social engineering tactics and phishing with documents related to Korean peninsula reunification and sanctions are a major element of the hacker's toolbox, the group has also been linked to the recent exploit of an Adobe Flash zero-day vulnerability, CVE-2018-4878.

Reports surfaced in January that the flaw, now patched, was being used in attacks against South Korea with the overall aim of deploying the DOGCALL malware, a Windows Trojan used for monitoring keystrokes, taking screenshots, and remote surveillance through backdoor installation.

FireEye traced the exploit back to IP addresses assigned to the capital of North Korea, Pyongyang, and the STAR-KP network.

Reaper frequently exploits zero-day vulnerabilities in Adobe Flash, including CVE-2016-4117, CVE2016-1019, and CVE-2015-3043, as well as security flaws found in the Hangul Word Processor (HWP).

Reaper also attacks victims with the RUHAPPY wiper malware, the CORALDECK exfiltration tool, Karae backdoors, an information-collecting backdoor called SHUTTERSPEED, and JavaScript profiler RICECURRY, among others.

In one notable example from last year, Reaper targeted a Middle Eastern company. The company entered into a joint venture with North Korea to provide telecommunications services -- but the deal went bad.

Once the media reported the collapse of the venture, the company was targeted by the threat actors. FireEye believes that this may have been an attempt by the North Korean government to "gather information on a former business partner."

According to the company, APT37 is also likely aligned with the cyberespionage activities of Scarcruft and Group 123, thought to be responsible for a variety of campaigns against South Korean victims, several non-Korean financial institutions, and the "Evil New Year 2018" campaign," which utilized malware specifically designed to wipe compromised disks.

In order to avoid detection, Reaper makes use of compromised servers in South Korea and beyond, messaging platforms, and cloud service providers.

Due to IP address evidence and the activity of Reaper following the North Korean working day, as well as the targets selected by the threat actors, FireEye believes that the group must come from this country.

As the APT group has also developed its own malware and appears to have vast resources at hand, it is most likely that Reaper is state-sponsored.

Read also: Tesla cloud systems exploited by hackers to mine cryptocurrency

"North Korea has repeatedly demonstrated a willingness to leverage its cyber capabilities for a variety of purposes, undeterred by notional redlines and international norms," FireEye says. "Though they have primarily tapped other tracked suspected North Korean teams to carry out the most aggressive actions, APT37 is an additional tool available to the regime, perhaps even desirable for its relative obscurity."

"We anticipate APT37 will be leveraged more and more in previously unfamiliar roles and regions, especially as pressure mounts on their sponsor," the company added.

10 things you didn't know about the Dark Web

Related stories

Editorial standards