Advisory |
Adversary Intelligence |
Name |
APT38 |
Origin |
North Korea |
Target |
Financial Sectors – Banks |
Targeted Countries |
Russia, Poland, Uruguay, US, Mexico, Chile, Brazil, Turkey, India, Bangladesh, Malaysia, Taiwan, Vietnam, Philippines |
APT38 is a state-sponsored North Korean threat group, known to mainly target the financial sector; the first appearance of this group was back in 2014. As the main focus of this group is the finance industry, they use SWIFT fraud to steal money from infected organizations, where most of their victims have been identified to use SWIFT tools. APT38 uses tools and malware that are part of Lazarus and TEMP.Hermit groups’ arsenal. These criminal gangs are also North Korean state-sponsored threats groups, but with different target types. Recent activities of APT38 indicates that the threat group uses reconnaissance to gather information on Indian banking infrastructure, with the intention of carrying out further attacks.
Tactics |
Techniques |
|
Initial Access |
T1189 | Drive-by Compromise |
Execution |
T1089.003 | Windows Command Shell |
Defense Evasion |
T1070.001 | Clear Windows Event Logs |
T1070.004 | File Deletion | |
T1112 | Modify Registry | |
T1027.002 | Software Packing | |
Credential Access |
T1056.001 | Keylogging |
Discovery |
T1057 | Process Discovery |
T1016 | System Network Configuration Discovery | |
Collection |
T1115 | Clipboard Data |
T10156.001 | Keylogging | |
Command and Control |
T1071.001 | Web Protocols |
T1105 | Ingress Tool Transfer | |
Impact |
T1485 | Data Destruction |
T1486 | Data Encrypted for Impact | |
T1565.001 | Stored Data Manipulation | |
T1565.002 | Transmitted Data Manipulation | |
T1565.003 | Runtime Data Manipulation | |
T1561.002 | Disk Structure Wipe | |
T1529 | System Shutdown/Reboot |
BLINDTOAD | BOOTWRECK | CHEESETRAY |
CLEANTOAD | CLOSESHAVE | DarkComet |
DYEPACK | DYEPACK.FOX | HERMES |
HOTWAX | JspSpy | KEYLIME |
MAPMAKER | NACHOCHEESE | NESTEGG |
QUICKCAFE | QUICKRIDE | QUICKRIDE.POWER |
RATANKBAPOS | RAWHIDE | REDSHAWL |
SCRUBBRUSH | SHADYCAT | SLIMDOWN |
SMOOTHRIDE | SORRYBRUTE | WHITEOUT |
WORMHOLE | Mimikatz | Net |
IPv |
67.43.239.146 |
185.62.58.207 | |
210.52.109.255 | |
210.52.109.22 | |
175.45.179.255 | |
175.45.178.222 | |
URL |
http://loneeaglerecords.com/wp-content/uploads/2020/01/images.tgz.001 |
https://loneeaglerecords.com/wp-content/uploads/2020/01/images.tgz.001 | |
Domain |
loneeaglerecords.com |
Hostname |
movis-es.ignorelist.com |
onlink.epac.to | |
pubs.ignorelist.com | |
repview.ignorelist.com | |
download.ns360.info | |
download.ns360.info | |
statis.ignorelist.com | |
geodb.ignorelist.com | |
bitdefs.ignorelist.com | |
File Hash |
fe83d95afce63e935dbe22aef40a164cee34f4e5 |
fa3deb60b8a2eaa29a7dccf14bee6adae81f442f | |
eaa2e43f075e7573c7a131e5cb4fa1ec70a90c5c | |
4862e206b9a79254f3fcc556f75711c03287f1dc | |
f05437d510287448325bac98a1378de1 | |
81f8f0526740b55fe484c42126cd8396 | |
b19984c67baee3b9274fe7d9a9073fa2 | |
024e28cb5e42eb0fe813ac9892eb7cbe | |
846d8647d27a0d729df40b13a644f3bffdc95f6d0e600f2195c85628d59f1dc6 | |
899e66ede95686a06394f707dd09b7c29af68f95d22136f0a023bfd01390ad53 | |
d3235a29d254d0b73ff8b5445c962cd3b841f487469d60a02819c0eb347111dd | |
216a83e54cac48a75b7e071d0262d98739c840fd8cd6d0b48a9c166b69acd57d | |
310f5b1bd7fb305023c955e55064e828 | |
CVE |
CVE-2017-0144 |
CVE-2016-1019 | |
CVE-2016-4119 | |
CVE-2015-8651 |