Skip to content

G0082 APT38

APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.1 Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018); some of their attacks have been destructive.1234

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

Item Value
ID G0082
Associated Names NICKEL GLADSTONE, BeagleBoyz, Bluenoroff, Stardust Chollima
Version 2.0
Created 29 January 2019
Last Modified 18 January 2022
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
NICKEL GLADSTONE 5
BeagleBoyz 1
Bluenoroff 4
Stardust Chollima 67

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols APT38 used a backdoor, QUICKRIDE, to communicate to the C2 server over HTTP and HTTPS.2
enterprise T1217 Browser Information Discovery APT38 has collected browser bookmark information to learn more about compromised hosts, obtain personal information about users, and acquire details about internal network resources.1
enterprise T1110 Brute Force APT38 has used brute force techniques to attempt account access when passwords are unknown or when password hashes are unavailable.1
enterprise T1115 Clipboard Data APT38 used a Trojan called KEYLIME to collect data from the clipboard.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell APT38 has used PowerShell to execute commands and other operational tasks.1
enterprise T1059.003 Windows Command Shell APT38 has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine.2
enterprise T1059.005 Visual Basic APT38 has used VBScript to execute commands and other operational tasks.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service APT38 has installed a new Windows service to establish persistence.1
enterprise T1485 Data Destruction APT38 has used a custom secure delete function to make deleted files unrecoverable.2
enterprise T1486 Data Encrypted for Impact APT38 has used Hermes ransomware to encrypt files with AES256.2
enterprise T1005 Data from Local System APT38 has collected data from a compromised host.1
enterprise T1565 Data Manipulation -
enterprise T1565.001 Stored Data Manipulation APT38 has used DYEPACK to create, delete, and alter records in databases used for SWIFT transactions.2
enterprise T1565.002 Transmitted Data Manipulation APT38 has used DYEPACK to manipulate SWIFT messages en route to a printer.2
enterprise T1565.003 Runtime Data Manipulation APT38 has used DYEPACK.FOX to manipulate PDF data as it is accessed to remove traces of fraudulent SWIFT transactions from the data displayed to the end user.2
enterprise T1561 Disk Wipe -
enterprise T1561.002 Disk Structure Wipe APT38 has used a custom MBR wiper named BOOTWRECK to render systems inoperable.2
enterprise T1189 Drive-by Compromise APT38 has conducted watering holes schemes to gain initial access to victims.21
enterprise T1083 File and Directory Discovery APT38 have enumerated files and directories, or searched in specific locations within a compromised host.1
enterprise T1562 Impair Defenses -
enterprise T1562.003 Impair Command History Logging APT38 has prepended a space to all of their terminal commands to operate without leaving traces in the HISTCONTROL environment.1
enterprise T1562.004 Disable or Modify System Firewall APT38 have created firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443.1
enterprise T1070 Indicator Removal -
enterprise T1070.001 Clear Windows Event Logs APT38 clears Window Event logs and Sysmon logs from the system.2
enterprise T1070.004 File Deletion APT38 has used a utility called CLOSESHAVE that can securely delete a file from the system. They have also removed malware, tools, or other non-native files used during the intrusion to reduce their footprint or as part of the post-intrusion cleanup process.21
enterprise T1070.006 Timestomp APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.1
enterprise T1105 Ingress Tool Transfer APT38 used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s machine.2
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging APT38 used a Trojan called KEYLIME to capture keystrokes from the victim’s machine.2
enterprise T1112 Modify Registry APT38 uses a tool called CLEANTOAD that has the capability to modify Registry keys.2
enterprise T1106 Native API APT38 has used the Windows API to execute code within a victim’s system.1
enterprise T1135 Network Share Discovery APT38 has enumerated network shares on a compromised host.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.002 Software Packing APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants.2
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool APT38 has obtained and used open-source tools such as Mimikatz.9
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment APT38 has conducted spearphishing campaigns using malicious email attachments.1
enterprise T1057 Process Discovery APT38 leveraged Sysmon to understand the processes, services in the organization.2
enterprise T1053 Scheduled Task/Job -
enterprise T1053.003 Cron APT38 has used cron to create pre-scheduled and periodic background jobs on a Linux system.1
enterprise T1053.005 Scheduled Task APT38 has used Task Scheduler to run programs at system startup or on a scheduled basis for persistence.1
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell APT38 has used web shells for persistence or to ensure redundant access.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery APT38 has identified security software, configurations, defensive tools, and sensors installed on a compromised system.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.001 Compiled HTML File APT38 has used CHM files to move concealed payloads.8
enterprise T1218.011 Rundll32 APT38 has used rundll32.exe to execute binaries, scripts, and Control Panel Item files and to execute code via proxy to avoid triggering security tools.1
enterprise T1082 System Information Discovery APT38 has attempted to get detailed information about a compromised host, including the operating system, version, patches, hotfixes, and service packs.1
enterprise T1049 System Network Connections Discovery APT38 installed a port monitoring tool, MAPMAKER, to print the active TCP connections on the local system.2
enterprise T1033 System Owner/User Discovery APT38 has identified primary users, currently logged in users, sets of users that commonly use a system, or inactive users.1
enterprise T1569 System Services -
enterprise T1569.002 Service Execution APT38 has created new services or modified existing ones to run executables, commands, or scripts.1
enterprise T1529 System Shutdown/Reboot APT38 has used a custom MBR wiper named BOOTWRECK, which will initiate a system reboot after wiping the victim’s MBR.2
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File APT38 has attempted to lure victims into enabling malicious macros within email attachments.1

Software

ID Name References Techniques
S0334 DarkComet 2 Web Protocols:Application Layer Protocol Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Clipboard Data Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Disable or Modify System Firewall:Impair Defenses Disable or Modify Tools:Impair Defenses Ingress Tool Transfer Keylogging:Input Capture Match Legitimate Name or Location:Masquerading Modify Registry Software Packing:Obfuscated Files or Information Process Discovery Remote Desktop Protocol:Remote Services System Information Discovery System Owner/User Discovery Video Capture
S0593 ECCENTRICBANDWAGON 1 Windows Command Shell:Command and Scripting Interpreter Local Data Staging:Data Staged File Deletion:Indicator Removal Keylogging:Input Capture Obfuscated Files or Information Screen Capture
S0376 HOPLIGHT 1 Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Device Driver Discovery Exfiltration Over C2 Channel Fallback Channels File and Directory Discovery Disable or Modify System Firewall:Impair Defenses Ingress Tool Transfer Modify Registry Non-Standard Port Security Account Manager:OS Credential Dumping Process Injection Proxy Query Registry System Information Discovery Service Execution:System Services System Time Discovery Pass the Hash:Use Alternate Authentication Material Windows Management Instrumentation
S0607 KillDisk 9 Access Token Manipulation Data Destruction Data Destruction Data Encrypted for Impact Disk Structure Wipe:Disk Wipe File and Directory Discovery Clear Windows Event Logs:Indicator Removal File Deletion:Indicator Removal Indicator Removal on Host Loss of View Masquerade Task or Service:Masquerading Native API Obfuscated Files or Information Process Discovery Service Stop Service Stop Shared Modules System Information Discovery System Shutdown/Reboot
S0002 Mimikatz 2 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0039 Net 2 Domain Account:Account Discovery Local Account:Account Discovery Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery

References