CORALDECK

For a long time, the Lazarus group was considered to be the only major actor to have links to the North Korean government, but recently another group from the region has attracted a lot of attention with its activities and a very diverse toolkit. The APT37 group, also known as ScarCruft, has been active since 2015, and its targets are often high-profile individuals in South Korea – however, the group also has been involved in campaigns against Japanese, Vietnamese and Middle Eastern targets.

The tools that the APT37 group uses often focus on stealth, and their campaigns often may serve the purpose of exfiltrating data over long periods. One of the hacking tools they use to collect information from compromised hosts is CORALDECK – this tool was first seen in use at the beginning of 2016, and it has its peak activity for a little over four months.

APT37 Utilizes the CORALDECK Infostealer to Grab Files from Their Victims

CORALDECK is a basic infostealer that is used in combination with other APT37 tools almost exclusively. Often, infostealers may focus on extracting saved login credentials or Web browser credit card details from infected hosts, but the CORALDECK sample works in a different manner – it looks for particular files or files with specific names. This is likely to mean that the APT37 group uses other reconnaissance tools to learn the names of the files found on the infected host so that they can later use the CORALDECK infostealer to extract them.

APT37's CORALDECK works with a hard-coded extraction method that is executed via an HTTP POST request to the attacker's server. All files that the CORALDECK collects are placed in a password-protected RAR or ZIP archive. Another notable trait of the CORALDECK infostealer is that it may sometimes arrive with a portable version of the WinRAR archive management application to ensure that it can complete its assignment successfully.