APT Group 123 Targets Windows Systems in Ongoing Malicious Payload Campaign

Group123, a North Korean state-sponsored Advanced Persistent Threat (APT) group also known by aliases such as APT37, Reaper, and ScarCruft, continues to target Windows-based systems across multiple regions.

Active since at least 2012, the group has historically focused on South Korea but has broadened its operations since 2017 to include Japan, Vietnam, the Middle East, and beyond, targeting critical sectors like defense, aerospace, nuclear technology, and engineering.

The group’s primary motivation remains information theft and espionage, often aligning with North Korea’s strategic interests.

Their recent campaigns reveal a sophisticated blend of technical prowess and adaptability, leveraging a vast arsenal of custom and commodity malware, including ROKRAT, Konni, and Oceansalt, alongside exploits for vulnerabilities such as CVE-2018-4878 and CVE-2022-41128.

Expanding Global Reach

Group123 employs a multi-stage attack lifecycle, heavily relying on spear phishing as an initial access vector.

These highly targeted emails often contain malicious attachments exploiting software popular in target regions, such as Hangul Word Processor (HWP) and Microsoft Office suites.

Beyond phishing, the group capitalizes on public-facing application vulnerabilities, including Log4j flaws, and conducts strategic web compromises through watering hole attacks to serve malicious content.

Their execution phase frequently involves custom payloads like PoohMilk and Freenki Loader, paired with scripting and Windows API calls, ensuring persistence through backdoors and registry modifications.

Privilege escalation often stems from operating system exploits or bypassing User Account Control (UAC), while defense evasion tactics include encrypted C2 communications over HTTPS, multi-stage payloads, and DLL sideloading to evade detection.

Financial Motives

A notable evolution in Group123’s operations is the integration of ransomware, such as Maui, to fund their espionage activities, blurring the line between state-sponsored attacks and cybercrime.

Their command-and-control infrastructure demonstrates ingenuity, historically leveraging platforms like X and Mediafire, and more recently, cloud services like Google Drive for stealthy communication.

Credential access through harvesting from browsers and Windows Credential Manager, combined with internal network reconnaissance, enables lateral movement and data exfiltration, often staging sensitive information before extraction.

According to Cyfirma Report, in some instances, destructive malware and disk wipers are deployed to maximize impact.

Their adaptability shines through rapid exploitation of newly disclosed vulnerabilities, including zero-days, and an expanding scope of operations across East Asia, Southeast Asia, the Middle East, and even the United States.

Group123’s ability to tailor social engineering lures to victims’ interests and professions, coupled with techniques like call stack spoofing and using legitimate services for C2, underscores their growing sophistication.

Mapped to the MITRE ATT&CK framework, their tactics span initial access (e.g., T1189 for drive-by compromise), execution (e.g., T1059 for command-line interfaces), and collection (e.g., T1005 for data from local systems), reflecting a comprehensive threat model.

As Group123 continues to refine its methods and target Windows environments in critical industries, organizations must prioritize robust endpoint protection, patch management, and user awareness to mitigate the risks posed by this relentless adversary.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!