1. Home
  2. Groups
  3. APT38

APT38

APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.[1] Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext [2] and Banco de Chile [2]; some of their attacks have been destructive.[1][2][3][4]

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

ID: G0082
Associated Groups: NICKEL GLADSTONE, BeagleBoyz, Bluenoroff, Stardust Chollima, Sapphire Sleet, COPERNICIUM
Contributors: Hiroki Nagahama, NEC Corporation; Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India
Version: 3.1
Created: 29 January 2019
Last Modified: 22 January 2025
Version Permalink

Associated Group Descriptions

Name Description
NICKEL GLADSTONE

[5]
BeagleBoyz

[1]
Bluenoroff

[4]
Stardust Chollima

[6][7]
Sapphire Sleet

[8]
COPERNICIUM

[8]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

APT38 has used the legitimate application ieinstal.exe to bypass UAC.[9]

Enterprise T1583 .001 Acquire Infrastructure: Domains

APT38 has created fake domains to imitate legitimate venture capital or bank domains.[9]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

APT38 used a backdoor, QUICKRIDE, to communicate to the C2 server over HTTP and HTTPS.[2]
Enterprise T1217 Browser Information Discovery

APT38 has collected browser bookmark information to learn more about compromised hosts, obtain personal information about users, and acquire details about internal network resources.[1]
Enterprise T1110 Brute Force

APT38 has used brute force techniques to attempt account access when passwords are unknown or when password hashes are unavailable.[1]
Enterprise T1115 Clipboard Data

APT38 used a Trojan called KEYLIME to collect data from the clipboard.[2]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

APT38 has used PowerShell to execute commands and other operational tasks.[1]
.003 Command and Scripting Interpreter: Windows Command Shell

APT38 has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine.[2] Additionally, APT38 has used batch scripts.[9]

.005 Command and Scripting Interpreter: Visual Basic

APT38 has used VBScript to execute commands and other operational tasks.[1][9]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

APT38 has installed a new Windows service to establish persistence.[1]
Enterprise T1485 Data Destruction

APT38 has used a custom secure delete function to make deleted files unrecoverable.[2]
Enterprise T1486 Data Encrypted for Impact

APT38 has used Hermes ransomware to encrypt files with AES256.[2]
Enterprise T1005 Data from Local System

APT38 has collected data from a compromised host.[1]
Enterprise T1565 .001 Data Manipulation: Stored Data Manipulation

APT38 has used DYEPACK to create, delete, and alter records in databases used for SWIFT transactions.[2]
.002 Data Manipulation: Transmitted Data Manipulation

APT38 has used DYEPACK to manipulate SWIFT messages en route to a printer.[2]
.003 Data Manipulation: Runtime Data Manipulation

APT38 has used DYEPACK.FOX to manipulate PDF data as it is accessed to remove traces of fraudulent SWIFT transactions from the data displayed to the end user.[2]
Enterprise T1140 Deobfuscate/Decode Files or Information

APT38 has used the RC4 algorithm to decrypt configuration data. [9]

Enterprise T1561 .002 Disk Wipe: Disk Structure Wipe

APT38 has used a custom MBR wiper named BOOTWRECK to render systems inoperable.[2]
Enterprise T1189 Drive-by Compromise

APT38 has conducted watering holes schemes to gain initial access to victims.[2][1]
Enterprise T1480 .002 Execution Guardrails: Mutual Exclusion

APT38 has created a mutex to avoid duplicate execution.[9]

Enterprise T1083 File and Directory Discovery

APT38 have enumerated files and directories, or searched in specific locations within a compromised host.[1]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

APT38 has unhooked DLLs to disable endpoint detection and response (EDR) or anti-virus (AV) tools.[9]

.003 Impair Defenses: Impair Command History Logging

APT38 has prepended a space to all of their terminal commands to operate without leaving traces in the HISTCONTROL environment.[1]
.004 Impair Defenses: Disable or Modify System Firewall

APT38 have created firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443.[1]
Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

APT38 clears Window Event logs and Sysmon logs from the system.[2]
.004 Indicator Removal: File Deletion

APT38 has used a utility called CLOSESHAVE that can securely delete a file from the system. They have also removed malware, tools, or other non-native files used during the intrusion to reduce their footprint or as part of the post-intrusion cleanup process.[2][1]
.006 Indicator Removal: Timestomp

APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.[1]
Enterprise T1105 Ingress Tool Transfer

APT38 used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s machine.[2] Additionally, APT38 has downloaded other payloads onto a victim’s machine.[9]

Enterprise T1056 .001 Input Capture: Keylogging

APT38 used a Trojan called KEYLIME to capture keystrokes from the victim’s machine.[2]
Enterprise T1036 .003 Masquerading: Rename Legitimate Utilities

APT38 has renamed system utilities, such as rundll32.exe and mshta.exe, to avoid detection.[9]

.006 Masquerading: Space after Filename

APT38 has put several spaces before a file extension to avoid detection and suspicion.[9]

Enterprise T1112 Modify Registry

APT38 uses a tool called CLEANTOAD that has the capability to modify Registry keys.[2]
Enterprise T1106 Native API

APT38 has used the Windows API to execute code within a victim's system.[1]

Enterprise T1135 Network Share Discovery

APT38 has enumerated network shares on a compromised host.[1]
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants.[2]
Enterprise T1588 .002 Obtain Capabilities: Tool

APT38 has obtained and used open-source tools such as Mimikatz.[10]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

APT38 has conducted spearphishing campaigns using malicious email attachments.[1]
Enterprise T1057 Process Discovery

APT38 leveraged Sysmon to understand the processes, services in the organization.[2]
Enterprise T1055 Process Injection

APT38 has injected malicious payloads into the explorer.exe process.[9]

Enterprise T1053 .003 Scheduled Task/Job: Cron

APT38 has used cron to create pre-scheduled and periodic background jobs on a Linux system.[1]
.005 Scheduled Task/Job: Scheduled Task

APT38 has used Task Scheduler to run programs at system startup or on a scheduled basis for persistence.[1] Additionally, APT38 has used living-off-the-land scripts to execute a malicious script via a scheduled task.[9]

Enterprise T1505 .003 Server Software Component: Web Shell

APT38 has used web shells for persistence or to ensure redundant access.[1]
Enterprise T1518 .001 Software Discovery: Security Software Discovery

APT38 has identified security software, configurations, defensive tools, and sensors installed on a compromised system.[1][9]
Enterprise T1553 .005 Subvert Trust Controls: Mark-of-the-Web Bypass

APT38 has used ISO and VHD files to deploy malware and to bypass Mark-of-the-Web (MOTW) security measures.[9]

Enterprise T1218 .001 System Binary Proxy Execution: Compiled HTML File

APT38 has used CHM files to move concealed payloads.[11]
.005 System Binary Proxy Execution: Mshta

APT38 has used a renamed version of mshta.exe to execute malicious HTML files.[9]

.007 System Binary Proxy Execution: Msiexec

APT38 has used msiexec.exe to execute malicious files.[9]

.011 System Binary Proxy Execution: Rundll32

APT38 has used rundll32.exe to execute binaries, scripts, and Control Panel Item files and to execute code via proxy to avoid triggering security tools.[1][9]
Enterprise T1082 System Information Discovery

APT38 has attempted to get detailed information about a compromised host, including the operating system, version, patches, hotfixes, and service packs.[1]
Enterprise T1049 System Network Connections Discovery

APT38 installed a port monitoring tool, MAPMAKER, to print the active TCP connections on the local system.[2]
Enterprise T1033 System Owner/User Discovery

APT38 has identified primary users, currently logged in users, sets of users that commonly use a system, or inactive users.[1]
Enterprise T1569 .002 System Services: Service Execution

APT38 has created new services or modified existing ones to run executables, commands, or scripts.[1]
Enterprise T1529 System Shutdown/Reboot

APT38 has used a custom MBR wiper named BOOTWRECK, which will initiate a system reboot after wiping the victim's MBR.[2]
Enterprise T1204 .001 User Execution: Malicious Link

APT38 has used links to execute a malicious Visual Basic script.[9]

.002 User Execution: Malicious File

APT38 has attempted to lure victims into enabling malicious macros within email attachments.[1] Additionally, APT38 has used malicious Word documents and shortcut files.[9]

Software

ID Name References Techniques
S0334 DarkComet [2] Application Layer Protocol: Web Protocols, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Clipboard Data, Command and Scripting Interpreter, Command and Scripting Interpreter: Windows Command Shell, Impair Defenses: Disable or Modify System Firewall, Impair Defenses: Disable or Modify Tools, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Match Legitimate Resource Name or Location, Modify Registry, Obfuscated Files or Information: Software Packing, Process Discovery, Remote Services: Remote Desktop Protocol, System Information Discovery, System Owner/User Discovery, Video Capture
S0593 ECCENTRICBANDWAGON [1] Command and Scripting Interpreter: Windows Command Shell, Data Staged: Local Data Staging, Indicator Removal: File Deletion, Input Capture: Keylogging, Obfuscated Files or Information, Screen Capture
S0376 HOPLIGHT [1] Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Device Driver Discovery, Event Triggered Execution: Windows Management Instrumentation Event Subscription, Exfiltration Over C2 Channel, Fallback Channels, File and Directory Discovery, Impair Defenses: Disable or Modify System Firewall, Ingress Tool Transfer, Modify Registry, Non-Standard Port, OS Credential Dumping: Security Account Manager, Process Injection, Proxy, Query Registry, System Information Discovery, System Services: Service Execution, System Time Discovery, Use Alternate Authentication Material: Pass the Hash, Windows Management Instrumentation
S0607 KillDisk [10] Access Token Manipulation, Data Destruction, Data Destruction, Data Encrypted for Impact, Disk Wipe: Disk Structure Wipe, File and Directory Discovery, Indicator Removal: Clear Windows Event Logs, Indicator Removal: File Deletion, Indicator Removal on Host, Loss of View, Masquerading: Masquerade Task or Service, Native API, Obfuscated Files or Information, Process Discovery, Service Stop, Service Stop, Shared Modules, System Information Discovery, System Shutdown/Reboot
S0002 Mimikatz [2] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0039 Net [2] Account Discovery: Domain Account, Account Discovery: Local Account, Account Manipulation: Additional Local or Domain Groups, Create Account: Local Account, Create Account: Domain Account, Indicator Removal: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery

References

  1. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
  2. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024.
  3. Department of Justice. (2021, February 17). Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe. Retrieved June 9, 2021.
  4. GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.
  5. SecureWorks. (2021, September 29). NICKEL GLADSTONE Threat Profile. Retrieved September 29, 2021.
  6. Meyers, Adam. (2018, April 6). Meet CrowdStrike’s Adversary of the Month for April: STARDUST CHOLLIMA. Retrieved September 29, 2021.
  1. CrowdStrike. (2021, June 7). CrowdStrike 2021 Global Threat Report. Retrieved September 29, 2021.
  2. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  3. SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024.
  4. Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.
  5. GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved October 3, 2018.