Register to stream ATT&CKcon 2.0 October 29-30
GROUPS
Overview admin@338 APT1 APT12 APT16 APT17 APT18 APT19 APT28 APT29 APT3 APT30 APT32 APT33 APT37 APT38 APT39 Axiom BlackOasis BRONZE BUTLER Carbanak Charming Kitten Cleaver Cobalt Group CopyKittens Dark Caracal Darkhotel DarkHydrus Deep Panda Dragonfly Dragonfly 2.0 DragonOK Dust Storm Elderwood Equation FIN10 FIN4 FIN5 FIN6 FIN7 FIN8 Gallmaker Gamaredon Group GCMAN Gorgon Group Group5 Honeybee Ke3chang Lazarus Group Leafminer Leviathan Lotus Blossom Magic Hound menuPass Moafee Molerats MuddyWater Naikon NEODYMIUM Night Dragon OilRig Orangeworm Patchwork PittyTiger PLATINUM Poseidon Group PROMETHIUM Putter Panda Rancor RTM Sandworm Team Scarlet Mimic Silence SilverTerrier Soft Cell Sowbug Stealth Falcon Stolen Pencil Strider Suckfly TA459 TA505 Taidoor TEMP.Veles The White Company Threat Group-1314 Threat Group-3390 Thrip Tropic Trooper Turla Winnti Group WIRTE
  1. Home
  2. Groups
  3. APT38

APT38

APT38 is a financially-motivated threat group that is backed by the North Korean regime. The group mainly targets banks and financial institutions and has targeted more than 16 organizations in at least 13 countries since at least 2014.[1]

North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.[2] Some organizations track North Korean clusters or groups such as Bluenoroff,[3] APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.

ID: G0082
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1115 Clipboard Data APT38 used a Trojan called KEYLIME to collect data from the clipboard. [1]
Enterprise T1059 Command-Line Interface APT38 has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine. [1]
Enterprise T1485 Data Destruction APT38 has used a custom secure delete function to make deleted files unrecoverable. [1]
Enterprise T1486 Data Encrypted for Impact APT38 has used Hermes ransomware to encrypt files with AES256. [1]
Enterprise T1487 Disk Structure Wipe APT38 has used a custom MBR wiper named BOOTWRECK to render systems inoperable. [1]
Enterprise T1189 Drive-by Compromise APT38 has conducted watering holes schemes to gain initial access to victims. [1]
Enterprise T1107 File Deletion APT38 has used a utility called CLOSESHAVE that can securely delete a file from the system. [1]
Enterprise T1070 Indicator Removal on Host APT38 clears Window Event logs and Sysmon logs from the system. [1]
Enterprise T1056 Input Capture APT38 used a Trojan called KEYLIME to capture keystrokes from the victim’s machine. [1]
Enterprise T1112 Modify Registry APT38 uses a tool called CLEANTOAD that has the capability to modify Registry keys. [1]
Enterprise T1013 Port Monitors APT38 installed a port monitoring tool, MAPMAKER, to print the active TCP connections on the local system. [1]
Enterprise T1057 Process Discovery APT38 leveraged Sysmon to understand the processes, services in the organization. [1]
Enterprise T1105 Remote File Copy APT38 used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s machine. [1]
Enterprise T1494 Runtime Data Manipulation APT38 has used DYEPACK.FOX to manipulate PDF data as it is accessed to remove traces of fraudulent SWIFT transactions from the data displayed to the end user. [1]
Enterprise T1045 Software Packing APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants. [1]
Enterprise T1071 Standard Application Layer Protocol APT38 used a backdoor, QUICKRIDE, to communicate to the C2 server over HTTP and HTTPS. [1]
Enterprise T1492 Stored Data Manipulation APT38 has used DYEPACK to create, delete, and alter records in databases used for SWIFT transactions. [1]
Enterprise T1493 Transmitted Data Manipulation APT38 has used DYEPACK to manipulate SWIFT messages en route to a printer. [1]

Software

ID Name References Techniques
S0334 DarkComet [1] Audio Capture, Clipboard Data, Command-Line Interface, Disabling Security Tools, Input Capture, Masquerading, Modify Registry, Process Discovery, Registry Run Keys / Startup Folder, Remote Desktop Protocol, Remote File Copy, Scripting, Software Packing, Standard Application Layer Protocol, System Information Discovery, System Owner/User Discovery, Video Capture
S0002 Mimikatz [1] Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0039 Net [1] Account Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares

References

  1. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  2. US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure. Retrieved July 13, 2017.
  1. GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.