G0082 APT38
APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.3 Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext 4 and Banco de Chile 4; some of their attacks have been destructive.3425
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
| Item | Value |
|---|---|
| ID | G0082 |
| Associated Names | NICKEL GLADSTONE, BeagleBoyz, Bluenoroff, Stardust Chollima, Sapphire Sleet, COPERNICIUM |
| Version | 3.1 |
| Created | 29 January 2019 |
| Last Modified | 22 January 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Group Descriptions
| Name | Description |
|---|---|
| NICKEL GLADSTONE | 8 |
| BeagleBoyz | 3 |
| Bluenoroff | 5 |
| Stardust Chollima | 61 |
| Sapphire Sleet | 7 |
| COPERNICIUM | 7 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | APT38 has used the legitimate application ieinstal.exe to bypass UAC.9 |
| enterprise | T1583 | Acquire Infrastructure | - |
| enterprise | T1583.001 | Domains | APT38 has created fake domains to imitate legitimate venture capital or bank domains.9 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | APT38 used a backdoor, QUICKRIDE, to communicate to the C2 server over HTTP and HTTPS.4 |
| enterprise | T1217 | Browser Information Discovery | APT38 has collected browser bookmark information to learn more about compromised hosts, obtain personal information about users, and acquire details about internal network resources.3 |
| enterprise | T1110 | Brute Force | APT38 has used brute force techniques to attempt account access when passwords are unknown or when password hashes are unavailable.3 |
| enterprise | T1115 | Clipboard Data | APT38 used a Trojan called KEYLIME to collect data from the clipboard.4 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | APT38 has used PowerShell to execute commands and other operational tasks.3 |
| enterprise | T1059.003 | Windows Command Shell | APT38 has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine.4 Additionally, APT38 has used batch scripts.9 |
| enterprise | T1059.005 | Visual Basic | APT38 has used VBScript to execute commands and other operational tasks.39 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | APT38 has installed a new Windows service to establish persistence.3 |
| enterprise | T1485 | Data Destruction | APT38 has used a custom secure delete function to make deleted files unrecoverable.4 |
| enterprise | T1486 | Data Encrypted for Impact | APT38 has used Hermes ransomware to encrypt files with AES256.4 |
| enterprise | T1005 | Data from Local System | APT38 has collected data from a compromised host.3 |
| enterprise | T1565 | Data Manipulation | - |
| enterprise | T1565.001 | Stored Data Manipulation | APT38 has used DYEPACK to create, delete, and alter records in databases used for SWIFT transactions.4 |
| enterprise | T1565.002 | Transmitted Data Manipulation | APT38 has used DYEPACK to manipulate SWIFT messages en route to a printer.4 |
| enterprise | T1565.003 | Runtime Data Manipulation | APT38 has used DYEPACK.FOX to manipulate PDF data as it is accessed to remove traces of fraudulent SWIFT transactions from the data displayed to the end user.4 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | APT38 has used the RC4 algorithm to decrypt configuration data. 9 |
| enterprise | T1561 | Disk Wipe | - |
| enterprise | T1561.002 | Disk Structure Wipe | APT38 has used a custom MBR wiper named BOOTWRECK to render systems inoperable.4 |
| enterprise | T1189 | Drive-by Compromise | APT38 has conducted watering holes schemes to gain initial access to victims.43 |
| enterprise | T1480 | Execution Guardrails | - |
| enterprise | T1480.002 | Mutual Exclusion | APT38 has created a mutex to avoid duplicate execution.9 |
| enterprise | T1083 | File and Directory Discovery | APT38 have enumerated files and directories, or searched in specific locations within a compromised host.3 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | APT38 has unhooked DLLs to disable endpoint detection and response (EDR) or anti-virus (AV) tools.9 |
| enterprise | T1562.003 | Impair Command History Logging | APT38 has prepended a space to all of their terminal commands to operate without leaving traces in the HISTCONTROL environment.3 |
| enterprise | T1562.004 | Disable or Modify System Firewall | APT38 have created firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443.3 |
| enterprise | T1562.013 | Disable or Modify Network Device Firewall | APT38 have created firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443. 3 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.001 | Clear Windows Event Logs | APT38 clears Window Event logs and Sysmon logs from the system.4 |
| enterprise | T1070.004 | File Deletion | APT38 has used a utility called CLOSESHAVE that can securely delete a file from the system. They have also removed malware, tools, or other non-native files used during the intrusion to reduce their footprint or as part of the post-intrusion cleanup process.43 |
| enterprise | T1070.006 | Timestomp | APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.3 |
| enterprise | T1105 | Ingress Tool Transfer | APT38 used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s machine.4 Additionally, APT38 has downloaded other payloads onto a victim’s machine.9 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | APT38 used a Trojan called KEYLIME to capture keystrokes from the victim’s machine.4 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.003 | Rename Legitimate Utilities | APT38 has renamed system utilities, such as rundll32.exe and mshta.exe, to avoid detection.9 |
| enterprise | T1036.006 | Space after Filename | APT38 has put several spaces before a file extension to avoid detection and suspicion.9 |
| enterprise | T1112 | Modify Registry | APT38 uses a tool called CLEANTOAD that has the capability to modify Registry keys.4 |
| enterprise | T1106 | Native API | APT38 has used the Windows API to execute code within a victim’s system.3 |
| enterprise | T1135 | Network Share Discovery | APT38 has enumerated network shares on a compromised host.3 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants.4 |
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.002 | Tool | APT38 has obtained and used open-source tools such as Mimikatz.10 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | APT38 has conducted spearphishing campaigns using malicious email attachments.3 |
| enterprise | T1057 | Process Discovery | APT38 leveraged Sysmon to understand the processes, services in the organization.4 |
| enterprise | T1055 | Process Injection | APT38 has injected malicious payloads into the explorer.exe process.9 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.003 | Cron | APT38 has used cron to create pre-scheduled and periodic background jobs on a Linux system.3 |
| enterprise | T1053.005 | Scheduled Task | APT38 has used Task Scheduler to run programs at system startup or on a scheduled basis for persistence.3 Additionally, APT38 has used living-off-the-land scripts to execute a malicious script via a scheduled task.9 |
| enterprise | T1505 | Server Software Component | - |
| enterprise | T1505.003 | Web Shell | APT38 has used web shells for persistence or to ensure redundant access.3 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | APT38 has identified security software, configurations, defensive tools, and sensors installed on a compromised system.39 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.005 | Mark-of-the-Web Bypass | APT38 has used ISO and VHD files to deploy malware and to bypass Mark-of-the-Web (MOTW) security measures.9 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.001 | Compiled HTML File | APT38 has used CHM files to move concealed payloads.11 |
| enterprise | T1218.005 | Mshta | APT38 has used a renamed version of mshta.exe to execute malicious HTML files.9 |
| enterprise | T1218.007 | Msiexec | APT38 has used msiexec.exe to execute malicious files.9 |
| enterprise | T1218.011 | Rundll32 | APT38 has used rundll32.exe to execute binaries, scripts, and Control Panel Item files and to execute code via proxy to avoid triggering security tools.39 |
| enterprise | T1082 | System Information Discovery | APT38 has attempted to get detailed information about a compromised host, including the operating system, version, patches, hotfixes, and service packs.3 |
| enterprise | T1049 | System Network Connections Discovery | APT38 installed a port monitoring tool, MAPMAKER, to print the active TCP connections on the local system.4 |
| enterprise | T1033 | System Owner/User Discovery | APT38 has identified primary users, currently logged in users, sets of users that commonly use a system, or inactive users.3 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | APT38 has created new services or modified existing ones to run executables, commands, or scripts.3 |
| enterprise | T1529 | System Shutdown/Reboot | APT38 has used a custom MBR wiper named BOOTWRECK, which will initiate a system reboot after wiping the victim’s MBR.4 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | APT38 has used links to execute a malicious Visual Basic script.9 |
| enterprise | T1204.002 | Malicious File | APT38 has attempted to lure victims into enabling malicious macros within email attachments.3 Additionally, APT38 has used malicious Word documents and shortcut files.9 |
Software
References
-
CrowdStrike. (2021, June 7). CrowdStrike 2021 Global Threat Report. Retrieved September 29, 2021. ↩
-
Department of Justice. (2021, February 17). Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe. Retrieved June 9, 2021. ↩
-
DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks. Retrieved September 29, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019. ↩↩
-
Meyers, Adam. (2018, April 6). Meet CrowdStrike’s Adversary of the Month for April: STARDUST CHOLLIMA. Retrieved September 29, 2021. ↩
-
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. ↩↩
-
SecureWorks. (2021, September 29). NICKEL GLADSTONE Threat Profile. Retrieved September 29, 2021. ↩
-
SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018. ↩↩
-
GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved October 3, 2018. ↩