APT38

APT38 is a financially-motivated threat group that is backed by the North Korean regime. The group mainly targets banks and financial institutions and has targeted more than 16 organizations in at least 13 countries since at least 2014.[1]

North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.[2] Some organizations track North Korean clusters or groups such as Bluenoroff,[3] APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.

ID: G0082
Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1115Clipboard DataAPT38 used a Trojan called KEYLIME to collect data from the clipboard.[1]
EnterpriseT1059Command-Line InterfaceAPT38 has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine.[1]
EnterpriseT1485Data DestructionAPT38 has used a custom secure delete function to make deleted files unrecoverable.[1]
EnterpriseT1486Data Encrypted for ImpactAPT38 has used Hermes ransomware to encrypt files with AES256.[1]
EnterpriseT1487Disk Structure WipeAPT38 has used a custom MBR wiper named BOOTWRECK to render systems inoperable.[1]
EnterpriseT1189Drive-by CompromiseAPT38 has conducted watering holes schemes to gain initial access to victims.[1]
EnterpriseT1107File DeletionAPT38 has used a utility called CLOSESHAVE that can securely delete a file from the system.[1]
EnterpriseT1070Indicator Removal on HostAPT38 clears Window Event logs and Sysmon logs from the system.[1]
EnterpriseT1056Input CaptureAPT38 used a Trojan called KEYLIME to capture keystrokes from the victim’s machine.[1]
EnterpriseT1112Modify RegistryAPT38 uses a tool called CLEANTOAD that has the capability to modify Registry keys.[1]
EnterpriseT1013Port MonitorsAPT38 installed a port monitoring tool, MAPMAKER, to print the active TCP connections on the local system.[1]
EnterpriseT1057Process DiscoveryAPT38 leveraged Sysmon to understand the processes, services in the organization.[1]
EnterpriseT1105Remote File CopyAPT38 used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s machine.[1]
EnterpriseT1494Runtime Data ManipulationAPT38 has used DYEPACK.FOX to manipulate PDF data as it is accessed to remove traces of fraudulent SWIFT transactions from the data displayed to the end user.[1]
EnterpriseT1045Software PackingAPT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants.[1]
EnterpriseT1071Standard Application Layer ProtocolAPT38 used a backdoor, QUICKRIDE, to communicate to the C2 server over HTTP and HTTPS.[1]
EnterpriseT1492Stored Data ManipulationAPT38 has used DYEPACK to create, delete, and alter records in databases used for SWIFT transactions.[1]
EnterpriseT1493Transmitted Data ManipulationAPT38 has used DYEPACK to manipulate SWIFT messages en route to a printer.[1]

Software

IDNameReferencesTechniques
S0334DarkComet[1]Audio Capture, Clipboard Data, Command-Line Interface, Disabling Security Tools, Input Capture, Masquerading, Modify Registry, Process Discovery, Registry Run Keys / Startup Folder, Remote Desktop Protocol, Remote File Copy, Scripting, Software Packing, Standard Application Layer Protocol, System Information Discovery, System Owner/User Discovery, Video Capture
S0002Mimikatz[1]Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0039Net[1]Account Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares

References