MILKDROP

The North Korean Advanced Persistent Threat group called APT37 uses a broad range of tools to perform reconnaissance operations and data exfiltration attacks against their targets. Their toolset includes a large number of backdoor Trojans, Remote Access Trojans and reconnaissance tools. Since the group has ties with the North Korean government, it is not a surprise that their primary targets are high-ranking individuals in the South Korean military and government sectors. One of the simple but silent backdoor Trojans that the APT37 group (also known as ScarCruft) uses is MILKDROP.

MILKDROP is a Simple Backdoor Used as a First-Stage Payload

APT37's MILKDROP has not seen as much use as other backdoors like DOGCALL and KARAE, but it is still a major threat due to its ability to gain persistence on the targeted machine without raising too many red flags. It is likely that the threat actors plan to use active MILKDROP implants to deploy additional payloads to targeted computers. Once deployed, the backdoor uses a very basic change to the Windows Registry to gain persistence and ensure that its files will launch alongside Windows. After this, it connects to a hardcoded Command & Control server and intercepts commands sent from the attackers.

The scope of remote commands that MILKDROP can accept is very limited, but it provides attackers with all they need to gather system details and determine what payload to introduce next. The MILKDROP backdoor does not employ any sandbox-evasion techniques, nor does it have any advanced features meant to evade anti-virus engines – keeping computers protected by a reputable anti-virus product should be more than enough to stop the MILKDROP backdoor's activity.