A lesser-known North Korean cyber-espionage outfit has become more active on the international scene in 2017, after spending the previous five years targeting only South Korean government agencies and North Korean defectors.

A history of the group's activities, which have been going on since 2012, have been compiled in a report released yesterday by US cyber-security company FireEye.

Lazarus Group's smaller brother

The report refers to the group by the codename of APT37 (also Reaper), but other companies track it as Group123 (Cisco Talos), FreeMilk (Palo Alto Networks), or StarCruft, Operation Daybreak, Operation Erebus (Kaspersky Lab).

The group has been quite active, but because it targeted mainly South Korean targets, it has not received the same amount of press coverage that fellow North Korean hacking group Lazarus Group has received.

Fair enough, hacking Sony Movie Pictures and a bunch of banks across the world, gets you more attention than going after North Korean defectors and small-time South Korean government agencies.

Group expands activity to international targets

But Lazarus Group will now have a rival for media coverage, and the reason is that APT37 has expanded its operations to include foreign targets.

New targets targeted in 2017 and 2018 include companies and government agencies in Japan, Vietnam and many Middle East countries. FireEye says it detected APT37 attacks right after business deals between North Korea and companies in Vietnam and the Middle East went sideway.

APT37 tied to North Korea with "high confidence"

In fact, the entire FireEye report stands out because the cyber-security company went on public record blaming North Korean officials for supporting the group.

"We assess with high confidence that this activity is carried out on behalf of the North Korean government," the FireEye report reads. "We judge that APT37’s primary mission is covert intelligence gathering in support of North Korea’s strategic military, political and economic interests."

"This is based on consistent targeting of South Korean public and private entities and social engineering," the company adds. "APT37’s recently expanded targeting scope also appears to have direct relevance to North Korea’s strategic interests."

It's quite rare that a cyber-security company would be so bold in attributing hacks to a nation-state so easily. The reason why FireEye went on record with the attribution is also because of operational mistakes made by APT37 members.

FireEye told Bleeping Computer that a hacker part of APT37 inadvertently infected himself with malware and had his own details collected in a command and control server to which the company managed to gain access to. Data collected from this individual revealed the group's North Korea as their center of operations.

Furthermore, compilation dates for the multiple malware families created by the group are also consistent with North Korea's timezone, while the group's obsession with South Korea and North Korean defectors speaks volumes and more than confirms FireEye's attribution statement.

APT37 has created a lot of custom malware

At the technical level, the group is no slouch either. APT37 has been credited with creating multiple malware families in the past six years. In fact, it was APT37 behind the recent Adobe Flash Player zero-day Bleeping Computer wrote about at the start of the month.

The FireEye report paints a pretty good picture of how the group often relied on Flash vulnerabilities to infect targets, and how they varied their operations for different targets.

APT37 created several malware families across the years, ranging from backdoors to data wipers. They also used an ever-shifting infrastructure, relying on AOL Instant Messenger, pCloud, and Dropbox for their command-and-control servers, and on spear-phishing, hacked websites, and torrent files for spreading their malicious payloads.

Their malware and exploit arsenal is also something to behold, the group being behind several interesting and quite well-built tools, such as:

CORALDECK - an infostealer that exfiltrates data from secure networks as password-protected archives created with WinRAR or WinImage.

DOGCALL - a powerful RAT, also known as

GELCAPSULE - a first-stage malware downloader.

HAPPYWORK - another first-stage malware downloader that can download and install other malware. Seen mostly in 2016.

KARAE - a backdoor trojan, but also used as a malware downloader for other payloads. Uses cloud-storage providers as C&C systems.

MILKDROP - a launcher that sets a persistence registry key and launches a backdoor.

POORAIM - backdoor that uses AOL Instant Messenger as a C&C server. Can also exfiltrate data.

RICECURRY - a Javascript based profiler used to fingerprint a victim's web browser and deliver malicious code later.

RUHAPPY - a data wiper that rewrites the MBR and prints "Are you happy?" on the screen. Usually deployed with DOGCALL, but never used.

SHUTTERSPEED - a backdoor trojan that can also exfiltrate data.

SLOWDRIFT - a first-stage downloader and launcher for other malware. Also uses cloud-based services as C&C server.

SOUNDWAVE - a Windows-based audio capturing utility.

ZUMKONG - a credentials dumper targeting IE and Chrome.

WINERACK - a backdoor that also creates a remote shell. - an infostealer that exfiltrates data from secure networks as password-protected archives created with WinRAR or WinImage.- a powerful RAT, also known as ROKRAT - a first-stage malware downloader.- another first-stage malware downloader that can download and install other malware. Seen mostly in 2016.- a backdoor trojan, but also used as a malware downloader for other payloads. Uses cloud-storage providers as C&C systems.- a launcher that sets a persistence registry key and launches a backdoor.- backdoor that uses AOL Instant Messenger as a C&C server. Can also exfiltrate data.- a Javascript based profiler used to fingerprint a victim's web browser and deliver malicious code later.- a data wiper that rewrites the MBR and prints "Are you happy?" on the screen. Usually deployed with DOGCALL, but never used.- a backdoor trojan that can also exfiltrate data.- a first-stage downloader and launcher for other malware. Also uses cloud-based services as C&C server.- a Windows-based audio capturing utility.- a credentials dumper targeting IE and Chrome.- a backdoor that also creates a remote shell.

All in all, APT37 seems to be set to expand its activity in a time when Lazarus Group operations have died down —but not stopped. FireEye expects the group to become more active as international sanctions and political pressure increases on the North Korean government.