APT38
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| BeagleBoyz | (Citation: CISA AA20-239A BeagleBoyz August 2020) |
| Stardust Chollima | (Citation: CrowdStrike Stardust Chollima Profile April 2018)(Citation: CrowdStrike GTR 2021 June 2021) |
| Bluenoroff | (Citation: Kaspersky Lazarus Under The Hood Blog 2017) |
| Sapphire Sleet | (Citation: Microsoft Threat Actor Naming July 2023) |
| COPERNICIUM | (Citation: Microsoft Threat Actor Naming July 2023) |
| NICKEL GLADSTONE | (Citation: SecureWorks NICKEL GLADSTONE profile Sept 2021) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
APT38 has used the legitimate application `ieinstal.exe` to bypass UAC.(Citation: 1 - appv) |
| Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
APT38 has created fake domains to imitate legitimate venture capital or bank domains.(Citation: 1 - appv) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
APT38 used a backdoor, QUICKRIDE, to communicate to the C2 server over HTTP and HTTPS.(Citation: FireEye APT38 Oct 2018) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
APT38 has used PowerShell to execute commands and other operational tasks.(Citation: CISA AA20-239A BeagleBoyz August 2020) |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
APT38 has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine.(Citation: FireEye APT38 Oct 2018) Additionally, APT38 has used batch scripts.(Citation: 1 - appv) |
||
| .005 | Command and Scripting Interpreter: Visual Basic |
APT38 has used VBScript to execute commands and other operational tasks.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: 1 - appv) |
||
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
APT38 has installed a new Windows service to establish persistence.(Citation: CISA AA20-239A BeagleBoyz August 2020) |
| Enterprise | T1565 | .001 | Data Manipulation: Stored Data Manipulation |
APT38 has used DYEPACK to create, delete, and alter records in databases used for SWIFT transactions.(Citation: FireEye APT38 Oct 2018) |
| .002 | Data Manipulation: Transmitted Data Manipulation |
APT38 has used DYEPACK to manipulate SWIFT messages en route to a printer.(Citation: FireEye APT38 Oct 2018) |
||
| .003 | Data Manipulation: Runtime Data Manipulation |
APT38 has used DYEPACK.FOX to manipulate PDF data as it is accessed to remove traces of fraudulent SWIFT transactions from the data displayed to the end user.(Citation: FireEye APT38 Oct 2018) |
||
| Enterprise | T1561 | .002 | Disk Wipe: Disk Structure Wipe |
APT38 has used a custom MBR wiper named BOOTWRECK to render systems inoperable.(Citation: FireEye APT38 Oct 2018) |
| Enterprise | T1480 | .002 | Execution Guardrails: Mutual Exclusion |
APT38 has created a mutex to avoid duplicate execution.(Citation: 1 - appv) |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
APT38 has unhooked DLLs to disable endpoint detection and response (EDR) or anti-virus (AV) tools.(Citation: 1 - appv) |
| .003 | Impair Defenses: Impair Command History Logging |
APT38 has prepended a space to all of their terminal commands to operate without leaving traces in the HISTCONTROL environment.(Citation: CISA AA20-239A BeagleBoyz August 2020) |
||
| .004 | Impair Defenses: Disable or Modify System Firewall |
APT38 have created firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443.(Citation: CISA AA20-239A BeagleBoyz August 2020) |
||
| Enterprise | T1070 | .001 | Indicator Removal: Clear Windows Event Logs |
APT38 clears Window Event logs and Sysmon logs from the system.(Citation: FireEye APT38 Oct 2018) |
| .004 | Indicator Removal: File Deletion |
APT38 has used a utility called CLOSESHAVE that can securely delete a file from the system. They have also removed malware, tools, or other non-native files used during the intrusion to reduce their footprint or as part of the post-intrusion cleanup process.(Citation: FireEye APT38 Oct 2018)(Citation: CISA AA20-239A BeagleBoyz August 2020) |
||
| .006 | Indicator Removal: Timestomp |
APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.(Citation: CISA AA20-239A BeagleBoyz August 2020) |
||
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
APT38 used a Trojan called KEYLIME to capture keystrokes from the victim’s machine.(Citation: FireEye APT38 Oct 2018) |
| Enterprise | T1036 | .003 | Masquerading: Rename Legitimate Utilities |
APT38 has renamed system utilities, such as `rundll32.exe` and `mshta.exe`, to avoid detection.(Citation: 1 - appv) |
| .006 | Masquerading: Space after Filename |
APT38 has put several spaces before a file extension to avoid detection and suspicion.(Citation: 1 - appv) |
||
| Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants.(Citation: FireEye APT38 Oct 2018) |
| Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
APT38 has obtained and used open-source tools such as Mimikatz.(Citation: ESET Lazarus KillDisk April 2018) |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
APT38 has conducted spearphishing campaigns using malicious email attachments.(Citation: CISA AA20-239A BeagleBoyz August 2020) |
| Enterprise | T1053 | .003 | Scheduled Task/Job: Cron |
APT38 has used cron to create pre-scheduled and periodic background jobs on a Linux system.(Citation: CISA AA20-239A BeagleBoyz August 2020) |
| .005 | Scheduled Task/Job: Scheduled Task |
APT38 has used Task Scheduler to run programs at system startup or on a scheduled basis for persistence.(Citation: CISA AA20-239A BeagleBoyz August 2020) Additionally, APT38 has used living-off-the-land scripts to execute a malicious script via a scheduled task.(Citation: 1 - appv) |
||
| Enterprise | T1505 | .003 | Server Software Component: Web Shell |
APT38 has used web shells for persistence or to ensure redundant access.(Citation: CISA AA20-239A BeagleBoyz August 2020) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
APT38 has identified security software, configurations, defensive tools, and sensors installed on a compromised system.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: 1 - appv) |
| Enterprise | T1553 | .005 | Subvert Trust Controls: Mark-of-the-Web Bypass |
APT38 has used ISO and VHD files to deploy malware and to bypass Mark-of-the-Web (MOTW) security measures.(Citation: 1 - appv) |
| Enterprise | T1218 | .001 | System Binary Proxy Execution: Compiled HTML File |
APT38 has used CHM files to move concealed payloads.(Citation: Kaspersky Lazarus Under The Hood APR 2017) |
| .005 | System Binary Proxy Execution: Mshta |
APT38 has used a renamed version of `mshta.exe` to execute malicious HTML files.(Citation: 1 - appv) |
||
| .007 | System Binary Proxy Execution: Msiexec |
APT38 has used `msiexec.exe` to execute malicious files.(Citation: 1 - appv) |
||
| .011 | System Binary Proxy Execution: Rundll32 |
APT38 has used rundll32.exe to execute binaries, scripts, and Control Panel Item files and to execute code via proxy to avoid triggering security tools.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: 1 - appv) |
||
| Enterprise | T1569 | .002 | System Services: Service Execution |
APT38 has created new services or modified existing ones to run executables, commands, or scripts.(Citation: CISA AA20-239A BeagleBoyz August 2020) |
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
APT38 has used links to execute a malicious Visual Basic script.(Citation: 1 - appv) |
| .002 | User Execution: Malicious File |
APT38 has attempted to lure victims into enabling malicious macros within email attachments.(Citation: CISA AA20-239A BeagleBoyz August 2020) Additionally, APT38 has used malicious Word documents and shortcut files.(Citation: 1 - appv) |
||
References
- CrowdStrike. (2021, June 7). CrowdStrike 2021 Global Threat Report. Retrieved September 29, 2021.
- Department of Justice. (2021, February 17). Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe. Retrieved June 9, 2021.
- DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
- FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024.
- GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.
- Meyers, Adam. (2018, April 6). Meet CrowdStrike’s Adversary of the Month for April: STARDUST CHOLLIMA. Retrieved September 29, 2021.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
- SecureWorks. (2021, September 29). NICKEL GLADSTONE Threat Profile. Retrieved September 29, 2021.
- SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024.
- Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.