APT38
APT38 is a financially-motivated threat group that is backed by the North Korean regime. The group mainly targets banks and financial institutions and has targeted more than 16 organizations in at least 13 countries since at least 2014.[1]
North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.[2] Some organizations track North Korean clusters or groups such as Bluenoroff,[3] APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| Enterprise | T1115 | Clipboard Data |
APT38 used a Trojan called KEYLIME to collect data from the clipboard.[1] |
| Enterprise | T1059 | Command-Line Interface |
APT38 has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine.[1] |
| Enterprise | T1485 | Data Destruction |
APT38 has used a custom secure delete function to make deleted files unrecoverable.[1] |
| Enterprise | T1486 | Data Encrypted for Impact |
APT38 has used Hermes ransomware to encrypt files with AES256.[1] |
| Enterprise | T1487 | Disk Structure Wipe |
APT38 has used a custom MBR wiper named BOOTWRECK to render systems inoperable.[1] |
| Enterprise | T1189 | Drive-by Compromise |
APT38 has conducted watering holes schemes to gain initial access to victims.[1] |
| Enterprise | T1107 | File Deletion |
APT38 has used a utility called CLOSESHAVE that can securely delete a file from the system.[1] |
| Enterprise | T1070 | Indicator Removal on Host |
APT38 clears Window Event logs and Sysmon logs from the system.[1] |
| Enterprise | T1056 | Input Capture |
APT38 used a Trojan called KEYLIME to capture keystrokes from the victim’s machine.[1] |
| Enterprise | T1112 | Modify Registry |
APT38 uses a tool called CLEANTOAD that has the capability to modify Registry keys.[1] |
| Enterprise | T1057 | Process Discovery |
APT38 leveraged Sysmon to understand the processes, services in the organization.[1] |
| Enterprise | T1105 | Remote File Copy |
APT38 used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s machine.[1] |
| Enterprise | T1494 | Runtime Data Manipulation |
APT38 has used DYEPACK.FOX to manipulate PDF data as it is accessed to remove traces of fraudulent SWIFT transactions from the data displayed to the end user.[1] |
| Enterprise | T1045 | Software Packing |
APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants.[1] |
| Enterprise | T1071 | Standard Application Layer Protocol |
APT38 used a backdoor, QUICKRIDE, to communicate to the C2 server over HTTP and HTTPS.[1] |
| Enterprise | T1492 | Stored Data Manipulation |
APT38 has used DYEPACK to create, delete, and alter records in databases used for SWIFT transactions.[1] |
| Enterprise | T1049 | System Network Connections Discovery |
APT38 installed a port monitoring tool, MAPMAKER, to print the active TCP connections on the local system.[1] |
| Enterprise | T1529 | System Shutdown/Reboot |
APT38 has used a custom MBR wiper named BOOTWRECK, which will initiate a system reboot after wiping the victim's MBR.[1] |
| Enterprise | T1493 | Transmitted Data Manipulation |
APT38 has used DYEPACK to manipulate SWIFT messages en route to a printer.[1] |