APT38

APT38 is a financially-motivated threat group that is backed by the North Korean regime. The group mainly targets banks and financial institutions and has targeted more than 16 organizations in at least 13 countries since at least 2014.[1]

North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.[2] Some organizations track North Korean clusters or groups such as Bluenoroff,[3] APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.

ID: G0082
Version: 1.2
Created: 29 January 2019
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

APT38 used a backdoor, QUICKRIDE, to communicate to the C2 server over HTTP and HTTPS.[1]

Enterprise T1115 Clipboard Data

APT38 used a Trojan called KEYLIME to collect data from the clipboard.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

APT38 has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine.[1]

Enterprise T1485 Data Destruction

APT38 has used a custom secure delete function to make deleted files unrecoverable.[1]

Enterprise T1486 Data Encrypted for Impact

APT38 has used Hermes ransomware to encrypt files with AES256.[1]

Enterprise T1565 .003 Data Manipulation: Runtime Data Manipulation

APT38 has used DYEPACK.FOX to manipulate PDF data as it is accessed to remove traces of fraudulent SWIFT transactions from the data displayed to the end user.[1]

.002 Data Manipulation: Transmitted Data Manipulation

APT38 has used DYEPACK to manipulate SWIFT messages en route to a printer.[1]

.001 Data Manipulation: Stored Data Manipulation

APT38 has used DYEPACK to create, delete, and alter records in databases used for SWIFT transactions.[1]

Enterprise T1561 .002 Disk Wipe: Disk Structure Wipe

APT38 has used a custom MBR wiper named BOOTWRECK to render systems inoperable.[1]

Enterprise T1189 Drive-by Compromise

APT38 has conducted watering holes schemes to gain initial access to victims.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

APT38 has used a utility called CLOSESHAVE that can securely delete a file from the system.[1]

.001 Indicator Removal on Host: Clear Windows Event Logs

APT38 clears Window Event logs and Sysmon logs from the system.[1]

Enterprise T1105 Ingress Tool Transfer

APT38 used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s machine.[1]

Enterprise T1056 .001 Input Capture: Keylogging

APT38 used a Trojan called KEYLIME to capture keystrokes from the victim’s machine.[1]

Enterprise T1112 Modify Registry

APT38 uses a tool called CLEANTOAD that has the capability to modify Registry keys.[1]

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants.[1]

Enterprise T1057 Process Discovery

APT38 leveraged Sysmon to understand the processes, services in the organization.[1]

Enterprise T1049 System Network Connections Discovery

APT38 installed a port monitoring tool, MAPMAKER, to print the active TCP connections on the local system.[1]

Enterprise T1529 System Shutdown/Reboot

APT38 has used a custom MBR wiper named BOOTWRECK, which will initiate a system reboot after wiping the victim's MBR.[1]

Software

ID Name References Techniques
S0334 DarkComet

[1]

Application Layer Protocol: Web Protocols, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Clipboard Data, Command and Scripting Interpreter, Command and Scripting Interpreter: Windows Command Shell, Impair Defenses: Disable or Modify Tools, Impair Defenses: Disable or Modify System Firewall, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Match Legitimate Name or Location, Modify Registry, Obfuscated Files or Information: Software Packing, Process Discovery, Remote Services: Remote Desktop Protocol, System Information Discovery, System Owner/User Discovery, Video Capture
S0002 Mimikatz

[1]

Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0039 Net

[1]

Account Discovery: Local Account, Account Discovery: Domain Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery

References