North Korean Threat Group APT38 Threat Intel Advisory

Summary

CloudSEK threat intelligence advisory on North Korean state-sponsored threat group APT38, whose primary target is the financial sector.
Advisory
Adversary Intelligence
Name
APT38
Origin
North Korea
Target
Financial Sectors - Banks
Targeted Countries
Russia, Poland, Uruguay, US, Mexico, Chile, Brazil, Turkey, India, Bangladesh, Malaysia, Taiwan, Vietnam, Philippines
 

Executive Summary

APT38 is a state-sponsored North Korean threat group, known to mainly target the financial sector; the first appearance of this group was back in 2014. As the main focus of this group is the finance industry, they use SWIFT fraud to steal money from infected organizations, where most of their victims have been identified to use SWIFT tools. APT38 uses tools and malware that are part of Lazarus and TEMP.Hermit groups’ arsenal. These criminal gangs are also North Korean state-sponsored threats groups, but with different target types. Recent activities of APT38 indicates that the threat group uses reconnaissance to gather information on Indian banking infrastructure, with the intention of carrying out further attacks.

Impact

Technical Impact
  • System infrastructure destruction
  • Data encryption
Business Impact
  • Financial loss of the targeted organization
  • Espionage
  • Data leakage
  • Data loss

Mitigation

  • Use up-to-date software
  • Apply regular backup for data
  • Apply least privilege access for files and directories
  • Encrypt sensitive information
  • Restrict web-based content
  • Keep remote data storage

Technical Analysis

Execution

  • The group initially gathers as much information as possible about their target, starting by collecting information either about one of the target’s personnels or third party vendors (SWIFT systems).
  • After gathering information, the attackers initialize the access by using the method of Watering Hole attack, or the attackers leverage any existing outdated Linux server with vulnerabilities.
  • In the next step they conduct internal reconnaissance of the infected environment by using a set of malwares and internal tools to scan the system.
  • Once the attackers gather the required information, they start pivoting to SWIFT servers (if there is any) and install the malware necessary to conduct the reconnaissance in infected servers and implant backdoors within those servers.
  • In this stage the attackers start executing malwares that enable them to insert fraudulent SWIFT transactions to transfer money to other accounts that could be located in other countries. 
  • In the final stage the attackers try to destroy any evidence of their existence in the infected system. The actions that are taken include deletion of log files, disk-wiping, and in some cases they may even use ransomware to thwart future detection.

Tactics, Techniques and Procedures

Tactics
Techniques
Initial Access
T1189 Drive-by Compromise
Execution
T1089.003 Windows Command Shell
Defense Evasion
T1070.001 Clear Windows Event Logs
T1070.004 File Deletion
T1112 Modify Registry
T1027.002 Software Packing
Credential Access
T1056.001 Keylogging
Discovery
T1057 Process Discovery
T1016 System Network Configuration Discovery
Collection
T1115 Clipboard Data
T10156.001 Keylogging
Command and Control
T1071.001 Web Protocols
T1105 Ingress Tool Transfer
Impact
T1485 Data Destruction
T1486 Data Encrypted for Impact
T1565.001 Stored Data Manipulation
T1565.002 Transmitted Data Manipulation
T1565.003 Runtime Data Manipulation
T1561.002 Disk Structure Wipe
T1529 System Shutdown/Reboot
 

Tools and Malwares Used

BLINDTOAD BOOTWRECK CHEESETRAY
CLEANTOAD CLOSESHAVE DarkComet
DYEPACK DYEPACK.FOX HERMES
HOTWAX JspSpy KEYLIME
MAPMAKER NACHOCHEESE NESTEGG
QUICKCAFE QUICKRIDE QUICKRIDE.POWER
RATANKBAPOS RAWHIDE REDSHAWL
SCRUBBRUSH SHADYCAT SLIMDOWN
SMOOTHRIDE SORRYBRUTE WHITEOUT
WORMHOLE Mimikatz Net
 

Indicators of Compromise

IPv
67.43.239.146
185.62.58.207
210.52.109.255
210.52.109.22
175.45.179.255
175.45.178.222
URL
http://loneeaglerecords.com/wp-content/uploads/2020/01/images.tgz.001
https://loneeaglerecords.com/wp-content/uploads/2020/01/images.tgz.001
Domain
loneeaglerecords.com
Hostname
movis-es.ignorelist.com
onlink.epac.to
pubs.ignorelist.com
repview.ignorelist.com
download.ns360.info
download.ns360.info
statis.ignorelist.com
geodb.ignorelist.com
bitdefs.ignorelist.com
File Hash
fe83d95afce63e935dbe22aef40a164cee34f4e5
fa3deb60b8a2eaa29a7dccf14bee6adae81f442f
eaa2e43f075e7573c7a131e5cb4fa1ec70a90c5c
4862e206b9a79254f3fcc556f75711c03287f1dc
f05437d510287448325bac98a1378de1
81f8f0526740b55fe484c42126cd8396
b19984c67baee3b9274fe7d9a9073fa2
024e28cb5e42eb0fe813ac9892eb7cbe
846d8647d27a0d729df40b13a644f3bffdc95f6d0e600f2195c85628d59f1dc6
899e66ede95686a06394f707dd09b7c29af68f95d22136f0a023bfd01390ad53
d3235a29d254d0b73ff8b5445c962cd3b841f487469d60a02819c0eb347111dd
216a83e54cac48a75b7e071d0262d98739c840fd8cd6d0b48a9c166b69acd57d
310f5b1bd7fb305023c955e55064e828
CVE
CVE-2017-0144
CVE-2016-1019
CVE-2016-4119
CVE-2015-8651

Table of Contents

Request an easy and customized demo for free