Advisory |
Adversary Intelligence |
Name |
APT38 |
Origin |
North Korea |
Target |
Financial Sectors - Banks |
Targeted Countries |
Russia, Poland, Uruguay, US, Mexico, Chile, Brazil, Turkey, India, Bangladesh, Malaysia, Taiwan, Vietnam, Philippines |
Executive Summary
APT38 is a state-sponsored North Korean threat group, known to mainly target the financial sector; the first appearance of this group was back in 2014. As the main focus of this group is the finance industry, they use SWIFT fraud to steal money from infected organizations, where most of their victims have been identified to use SWIFT tools. APT38 uses tools and malware that are part of Lazarus and TEMP.Hermit groups’ arsenal. These criminal gangs are also North Korean state-sponsored threats groups, but with different target types. Recent activities of APT38 indicates that the threat group uses reconnaissance to gather information on Indian banking infrastructure, with the intention of carrying out further attacks.Impact
Technical Impact
- System infrastructure destruction
- Data encryption
Business Impact
- Financial loss of the targeted organization
- Espionage
- Data leakage
- Data loss
Mitigation
- Use up-to-date software
- Apply regular backup for data
- Apply least privilege access for files and directories
- Encrypt sensitive information
- Restrict web-based content
- Keep remote data storage
Technical Analysis
Execution
- The group initially gathers as much information as possible about their target, starting by collecting information either about one of the target’s personnels or third party vendors (SWIFT systems).
- After gathering information, the attackers initialize the access by using the method of Watering Hole attack, or the attackers leverage any existing outdated Linux server with vulnerabilities.
- In the next step they conduct internal reconnaissance of the infected environment by using a set of malwares and internal tools to scan the system.
- Once the attackers gather the required information, they start pivoting to SWIFT servers (if there is any) and install the malware necessary to conduct the reconnaissance in infected servers and implant backdoors within those servers.
- In this stage the attackers start executing malwares that enable them to insert fraudulent SWIFT transactions to transfer money to other accounts that could be located in other countries.
- In the final stage the attackers try to destroy any evidence of their existence in the infected system. The actions that are taken include deletion of log files, disk-wiping, and in some cases they may even use ransomware to thwart future detection.
Tactics, Techniques and Procedures
Tactics |
Techniques |
|
Initial Access |
T1189 | Drive-by Compromise |
Execution |
T1089.003 | Windows Command Shell |
Defense Evasion |
T1070.001 | Clear Windows Event Logs |
| T1070.004 | File Deletion | |
| T1112 | Modify Registry | |
| T1027.002 | Software Packing | |
Credential Access |
T1056.001 | Keylogging |
Discovery |
T1057 | Process Discovery |
| T1016 | System Network Configuration Discovery | |
Collection |
T1115 | Clipboard Data |
| T10156.001 | Keylogging | |
Command and Control |
T1071.001 | Web Protocols |
| T1105 | Ingress Tool Transfer | |
Impact |
T1485 | Data Destruction |
| T1486 | Data Encrypted for Impact | |
| T1565.001 | Stored Data Manipulation | |
| T1565.002 | Transmitted Data Manipulation | |
| T1565.003 | Runtime Data Manipulation | |
| T1561.002 | Disk Structure Wipe | |
| T1529 | System Shutdown/Reboot | |
Tools and Malwares Used
| BLINDTOAD | BOOTWRECK | CHEESETRAY |
| CLEANTOAD | CLOSESHAVE | DarkComet |
| DYEPACK | DYEPACK.FOX | HERMES |
| HOTWAX | JspSpy | KEYLIME |
| MAPMAKER | NACHOCHEESE | NESTEGG |
| QUICKCAFE | QUICKRIDE | QUICKRIDE.POWER |
| RATANKBAPOS | RAWHIDE | REDSHAWL |
| SCRUBBRUSH | SHADYCAT | SLIMDOWN |
| SMOOTHRIDE | SORRYBRUTE | WHITEOUT |
| WORMHOLE | Mimikatz | Net |
Indicators of Compromise
IPv |
67.43.239.146 |
| 185.62.58.207 | |
| 210.52.109.255 | |
| 210.52.109.22 | |
| 175.45.179.255 | |
| 175.45.178.222 | |
URL |
http://loneeaglerecords.com/wp-content/uploads/2020/01/images.tgz.001 |
| https://loneeaglerecords.com/wp-content/uploads/2020/01/images.tgz.001 | |
Domain |
loneeaglerecords.com |
Hostname |
movis-es.ignorelist.com |
| onlink.epac.to | |
| pubs.ignorelist.com | |
| repview.ignorelist.com | |
| download.ns360.info | |
| download.ns360.info | |
| statis.ignorelist.com | |
| geodb.ignorelist.com | |
| bitdefs.ignorelist.com | |
File Hash |
fe83d95afce63e935dbe22aef40a164cee34f4e5 |
| fa3deb60b8a2eaa29a7dccf14bee6adae81f442f | |
| eaa2e43f075e7573c7a131e5cb4fa1ec70a90c5c | |
| 4862e206b9a79254f3fcc556f75711c03287f1dc | |
| f05437d510287448325bac98a1378de1 | |
| 81f8f0526740b55fe484c42126cd8396 | |
| b19984c67baee3b9274fe7d9a9073fa2 | |
| 024e28cb5e42eb0fe813ac9892eb7cbe | |
| 846d8647d27a0d729df40b13a644f3bffdc95f6d0e600f2195c85628d59f1dc6 | |
| 899e66ede95686a06394f707dd09b7c29af68f95d22136f0a023bfd01390ad53 | |
| d3235a29d254d0b73ff8b5445c962cd3b841f487469d60a02819c0eb347111dd | |
| 216a83e54cac48a75b7e071d0262d98739c840fd8cd6d0b48a9c166b69acd57d | |
| 310f5b1bd7fb305023c955e55064e828 | |
CVE |
CVE-2017-0144 |
| CVE-2016-1019 | |
| CVE-2016-4119 | |
| CVE-2015-8651 |
