G0082 APT38
APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.1 Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018); some of their attacks have been destructive.1234
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
| Item | Value |
|---|---|
| ID | G0082 |
| Associated Names | NICKEL GLADSTONE, BeagleBoyz, Bluenoroff, Stardust Chollima |
| Version | 2.0 |
| Created | 29 January 2019 |
| Last Modified | 18 January 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Group Descriptions
| Name | Description |
|---|---|
| NICKEL GLADSTONE | 5 |
| BeagleBoyz | 1 |
| Bluenoroff | 4 |
| Stardust Chollima | 67 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | APT38 used a backdoor, QUICKRIDE, to communicate to the C2 server over HTTP and HTTPS.2 |
| enterprise | T1217 | Browser Information Discovery | APT38 has collected browser bookmark information to learn more about compromised hosts, obtain personal information about users, and acquire details about internal network resources.1 |
| enterprise | T1110 | Brute Force | APT38 has used brute force techniques to attempt account access when passwords are unknown or when password hashes are unavailable.1 |
| enterprise | T1115 | Clipboard Data | APT38 used a Trojan called KEYLIME to collect data from the clipboard.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | APT38 has used PowerShell to execute commands and other operational tasks.1 |
| enterprise | T1059.003 | Windows Command Shell | APT38 has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine.2 |
| enterprise | T1059.005 | Visual Basic | APT38 has used VBScript to execute commands and other operational tasks.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | APT38 has installed a new Windows service to establish persistence.1 |
| enterprise | T1485 | Data Destruction | APT38 has used a custom secure delete function to make deleted files unrecoverable.2 |
| enterprise | T1486 | Data Encrypted for Impact | APT38 has used Hermes ransomware to encrypt files with AES256.2 |
| enterprise | T1005 | Data from Local System | APT38 has collected data from a compromised host.1 |
| enterprise | T1565 | Data Manipulation | - |
| enterprise | T1565.001 | Stored Data Manipulation | APT38 has used DYEPACK to create, delete, and alter records in databases used for SWIFT transactions.2 |
| enterprise | T1565.002 | Transmitted Data Manipulation | APT38 has used DYEPACK to manipulate SWIFT messages en route to a printer.2 |
| enterprise | T1565.003 | Runtime Data Manipulation | APT38 has used DYEPACK.FOX to manipulate PDF data as it is accessed to remove traces of fraudulent SWIFT transactions from the data displayed to the end user.2 |
| enterprise | T1561 | Disk Wipe | - |
| enterprise | T1561.002 | Disk Structure Wipe | APT38 has used a custom MBR wiper named BOOTWRECK to render systems inoperable.2 |
| enterprise | T1189 | Drive-by Compromise | APT38 has conducted watering holes schemes to gain initial access to victims.21 |
| enterprise | T1083 | File and Directory Discovery | APT38 have enumerated files and directories, or searched in specific locations within a compromised host.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.003 | Impair Command History Logging | APT38 has prepended a space to all of their terminal commands to operate without leaving traces in the HISTCONTROL environment.1 |
| enterprise | T1562.004 | Disable or Modify System Firewall | APT38 have created firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.001 | Clear Windows Event Logs | APT38 clears Window Event logs and Sysmon logs from the system.2 |
| enterprise | T1070.004 | File Deletion | APT38 has used a utility called CLOSESHAVE that can securely delete a file from the system. They have also removed malware, tools, or other non-native files used during the intrusion to reduce their footprint or as part of the post-intrusion cleanup process.21 |
| enterprise | T1070.006 | Timestomp | APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.1 |
| enterprise | T1105 | Ingress Tool Transfer | APT38 used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s machine.2 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | APT38 used a Trojan called KEYLIME to capture keystrokes from the victim’s machine.2 |
| enterprise | T1112 | Modify Registry | APT38 uses a tool called CLEANTOAD that has the capability to modify Registry keys.2 |
| enterprise | T1106 | Native API | APT38 has used the Windows API to execute code within a victim’s system.1 |
| enterprise | T1135 | Network Share Discovery | APT38 has enumerated network shares on a compromised host.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants.2 |
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.002 | Tool | APT38 has obtained and used open-source tools such as Mimikatz.9 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | APT38 has conducted spearphishing campaigns using malicious email attachments.1 |
| enterprise | T1057 | Process Discovery | APT38 leveraged Sysmon to understand the processes, services in the organization.2 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.003 | Cron | APT38 has used cron to create pre-scheduled and periodic background jobs on a Linux system.1 |
| enterprise | T1053.005 | Scheduled Task | APT38 has used Task Scheduler to run programs at system startup or on a scheduled basis for persistence.1 |
| enterprise | T1505 | Server Software Component | - |
| enterprise | T1505.003 | Web Shell | APT38 has used web shells for persistence or to ensure redundant access.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | APT38 has identified security software, configurations, defensive tools, and sensors installed on a compromised system.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.001 | Compiled HTML File | APT38 has used CHM files to move concealed payloads.8 |
| enterprise | T1218.011 | Rundll32 | APT38 has used rundll32.exe to execute binaries, scripts, and Control Panel Item files and to execute code via proxy to avoid triggering security tools.1 |
| enterprise | T1082 | System Information Discovery | APT38 has attempted to get detailed information about a compromised host, including the operating system, version, patches, hotfixes, and service packs.1 |
| enterprise | T1049 | System Network Connections Discovery | APT38 installed a port monitoring tool, MAPMAKER, to print the active TCP connections on the local system.2 |
| enterprise | T1033 | System Owner/User Discovery | APT38 has identified primary users, currently logged in users, sets of users that commonly use a system, or inactive users.1 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | APT38 has created new services or modified existing ones to run executables, commands, or scripts.1 |
| enterprise | T1529 | System Shutdown/Reboot | APT38 has used a custom MBR wiper named BOOTWRECK, which will initiate a system reboot after wiping the victim’s MBR.2 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | APT38 has attempted to lure victims into enabling malicious macros within email attachments.1 |
Software
References
-
DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks. Retrieved September 29, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Department of Justice. (2021, February 17). Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe. Retrieved June 9, 2021. ↩
-
GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019. ↩↩
-
SecureWorks. (2021, September 29). NICKEL GLADSTONE Threat Profile. Retrieved September 29, 2021. ↩
-
Meyers, Adam. (2018, April 6). Meet CrowdStrike’s Adversary of the Month for April: STARDUST CHOLLIMA. Retrieved September 29, 2021. ↩
-
CrowdStrike. (2021, June 7). CrowdStrike 2021 Global Threat Report. Retrieved September 29, 2021. ↩
-
GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved October 3, 2018. ↩
-
Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018. ↩↩