ScarCruft, APT37, Group123, Reaper, Red Eyes
Ricochet Chollima is a Democratic Peoples’ Republic of Korea (DPRK) targeted intrusion adversary that has been involved in espionage operations since at least 2016.
Ricochet Chollima’s observed operations have almost exclusively targeted the Republic of Korea (RoK) and are focused on RoK government officials, non-governmental organizations (NGOs), academics, journalists, and DPRK defectors.
This target scope is similar to those observed in VELVET CHOLLIMA operations; however, RICOCHET CHOLLIMA consistently demonstrates a level of skill and operational complexity that places it among the most technically advanced DPRK adversaries.
Ricochet Chollima frequently relies on cloud-based file hosting services. This distinctive tactic has become a defining element of RICOCHET CHOLLIMA’s malware. RICOCHET CHOLLIMA operations have included spear-phishing operations leveraging malicious Korean language Hangul Word Processor (HWP) documents to drop custom implants such as the Cirrus and Nimbus RATs..
In December 2020, CrowdStrike Intelligence discovered a new tool used by RICOCHET CHOLLIMA named the PoorWeb RAT. PoorWeb is delivered via an OLE object embedded in a malicious HWP document to load a first-stage dropper and subsequently the PoorWeb payload—a tactic previously used by RICOCHET CHOLLIMA. This malware is capable of collecting system information, taking screenshots, enumerating drives and files, and executing commands. While the target scope of PoorWeb is nebulous, decoy documents included content pertaining to Korean unification, suggesting those sympathetic to the DPRK were the focus of observed activity.
United Arab Emirates
- Financial Management & Hedge Funds
- NGOs and Nonprofits
- Think Tanks
Crowdstrike Ricochet Chollima
I have read and accept the terms and conditions