ReportRed_Eyes_Hacking_Group_kor.pdf (1 MB)

AhnLab profiles the Red Eyes group, also known as Geumseong121, Group 123, ScarCruft, APT37, Reaper, and Ricochet Chollima, as a cluster targeting defectors, North Korean human-rights activists, North Korea researchers, journalists, and some military-themed lures. The group commonly delivered malicious documents by email or mobile messenger, using HWP EPS exploitation, embedded VBS or EXE files, MS Office documents, DDE, and a Flash Player zero-day later identified as CVE-2018-4878. Malware families described in the report include Reloader or DocPrint loaders, Reloaderx information stealers and downloaders, the Redoor or DogCall backdoor, and a wiper that damages hard disks and displays an "Are you Happy?" message after reboot. AhnLab also notes distinctive PDB paths and strings such as First, Happy, Work, and pad-2 artifacts, using them to discuss possible links to earlier 2015-2016 activity including Operation ProgamsByMe.