Threat Actor: APT38

Aliases: Bluenoroff, Stardust Cholima, BeagleBoyz, NICKEL GLADSTONE, TA444

APT38, a subset of the North Korean Lazarus group, specializes in financial crimes, often involving a destructive element. This technologically dexterous and highly active group is known to exploit ATM, SWIFT, and cryptocurrency transactions, with the CISA estimating criminal proceeds to be nearing $2 billion at the time of writing (CISA, 2020).

Overview

Attacks orchestrated by APT 38 are highly technical, requiring precision and an intimate knowledge of their target. This specialized group repeatedly goes to great lengths during their  reconnaissance phase, often stair-stepping through organizations to achieve their mission objectives, stealing any form of digital currency they can get their hands on. Resorting to tactics common in espionage campaigns, APT38 has been known to compromise government financial institutions and media organizations just to obtain intelligence on their primary targets (FireEye, 2018, p. 8).

APT38 shows a surprising proficiency in technological skill, conducting cross-platform campaigns and crafting malware payloads designed for use in a variety of environments. Additionally, these efforts are executed in tandem with massive reconnaissance campaigns, suggesting the group has access to a significant amount of human and technological resources.

The group appears to be in constant development of custom tools and technologies. APT38 has developed nearly 30 different malware families and seems to find ways around security measures almost as fast as they’re implemented by the industry. Together, these characteristics make APT38 one of the most prolific and technologically advanced cyber threats in the world.

Common Techniques, Tactics, and Procedures

Attacks begin with a lengthy period of reconnaissance, targeting employees or vendors of the victim organization. Social engineering through popular social media and human networking platforms are often used to gather information on employees of their target organization. On at least one occasion, the threat actor forged connections to dozens of individuals inside the victim organization through a sock-puppet account created on LinkedIn (FireEye, 2018, p. 9).

APT38 uses information gathered during this phase of the reconnaissance efforts to craft social engineering attacks that can range from recruitment-themed spear phishing emails, compromised websites of government financial institutions, watering hole lures, and custom-made cryptocurrency applications. A variety of tactics are used to install a malicious payload such as a backdoor or remote admin tool (FireEye, 2018, p. 18)(CISA, 2022).

Phishing campaigns are often disguised as employment opportunities or resumes from interested persons seeking employment. More recent phishing attempts by this group have employed attachments containing optical disk images, also known as ISO files, to circumvent the Windows Mark-of-the-Web security measure. These ISO files contain malicious documents with embedded scripts that fetch the initial infection payload (Park, 2022).

APT38 is meticulous in its operations and exercises unusual patience once inside a victim’s network. Shifting back to the reconnaissance phase, the threat actors deploy tools to gather network topology, steal credentials, and attempt to enumerate enterprise Linux servers vulnerable to the Apache Struts2 exploit. Much time is spent gather intelligence on the file system to replicate internal naming conventions, allowing APT38 to hide their tools in plain sight (FireEye, 2018, p. 19).

According to researchers at FireEye, the average persistence in the victim network is 155 days, with the longest stretch being 678 days. Time spent within the network is so long that attackers have been known to hardcode internal IP addresses into their proprietary malware (FireEye, 2018).

Once inside the network of a banking institution, APT38 attempts to gain a better understanding of the relationships between the users and the internal systems performing SWIFT transactions. Persistence is maintained on SWIFT systems for an extended duration by the deployment of active and passive backdoors. This allows the threat actors time to fine-tune any configurations on their tools that pertain to the SWIFT environment. Researchers at FireEye have observed that tools are repeatedly tested before implementing them to exploit the transactions (FireEye, 2018, p. 20).

It has become common practice for APT38 to use virtual private servers for C2 communications. Fake domains meant to impersonate legitimate financial organizations are used in their C2 infrastructure. However, some of the domain names have been recycled across campaigns and many of them resolve to the same IP addresses (Park, 2022)

Once instantiated, malware developed by APT38 can allow for the insertion of fraudulent SWIFT transactions and the manipulation of the institution’s transaction history. The threat actors transfer the funds to bank accounts set up in countries with little government oversight. From there, the money is laundered through a variety of methods (FireEye, 2018, p. 21)

Once the group has fulfilled the objectives of the heist, the group proceeds to destroy all evidence of their criminal activity in an attempt to disrupt any forensic investigations. The process usually begins by deleting all logs and files using proprietary malware. Then, wiper malware such as KillDisk is deployed, overwriting all data sectors and the master boot record (MBR). The malware then triggers a reboot, effectively hammering the final nail into the coffin (Cherepanov & Kálnai, 2018).

Conclusion

APT38 is attributed as a subset of the Lazarus group, focusing on financial crime to bypass international sanctions placed on the Democratic People’s Republic of Korea. The group targets international financial organizations, exploiting SWIFT banking transfers, ATMs, and cryptocurrency. They are a highly technical and extremely patient group that can spend months or even years in a network before executing their objectives. In an effort to cover their tracks, APT38 will implement a devastating scorched-earth policy and destroy the victim’s environment by deploying wiper malware.

However, there are a few factors that work in favor of the network defender. First, the more time APT38 spends within a victim network the more time defenders have to detect their presence. Second, the vast majority of tools implemented by APT38 are proprietary, making their detection a strong indication of their presence. An alert of this kind should immediately inform your organization’s security team of the objectives of the intruder. Network administrators should take advantage of this and familiarize themselves with APT38 and their TTP’s within the MITRE ATT&CK knowledge base.

References

Cherepanov , A., & Kálnai, P. (2018, April 6). Lazarus Killdisks Central American casino. WeLiveSecurity. Retrieved March 12, 2023, from https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/

Cimpanu, C. (2018, October 3). North Korea’s apt38 hacking group behind bank heists of over $100 million. ZDNET. Retrieved March 12, 2023, from https://www.zdnet.com/article/north-korea-s-apt38-hacking-group-behind-bank-heists-of-over-100-million/

CISA. (2023, March 2). FASTCash 2.0: North Korea’s BeagleBoyz robbing banks: Cisa. Cybersecurity and Infrastructure Security Agency CISA. Retrieved March 12, 2023, from https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-239a

CISA. (2023, March 2). Tradertraitor: North Korean state-sponsored apt targets blockchain companies: CISA. Cybersecurity and Infrastructure Security Agency CISA. Retrieved March 12, 2023, from https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a

CISA. (n.d.). North Korea Cyber Threat Overview and advisories: CISA. Cybersecurity and Infrastructure Security Agency CISA. Retrieved March 12, 2023, from https://www.cisa.gov/northkorea

FireEye. (2018). Apt38: Un-usual suspects. Mandiant. Retrieved March 12, 2023, from https://www.mandiant.com/media/11306/download

Fraser, N., O’Leary, J., Cannon, V., & Plan, F. (2018, October 3). APT38: Details on new North Korean regime-backed Threat Group. Mandiant. Retrieved March 12, 2023, from https://www.mandiant.com/resources/blog/apt38-details-on-new-north-korean-regime-backed-threat-group

MITRE ATT&CK®. (2019, January 29). APT38. Retrieved March 12, 2023, from https://attack.mitre.org/groups/G0082/

Park, S. S. (2021, May 13). Bluenoroff introduces new methods bypassing MOTW. Securelist. Retrieved March 12, 2023, from https://securelist.com/bluenoroff-methods-bypass-motw/108383/

Sison, G., Ramos, R., Yaneza, J., & Oliveira, A. (2018, January 15). Killdisk variant hits Latin American financial groups. Trend Micro. Retrieved March 12, 2023, from https://www.trendmicro.com/en_us/research/18/a/new-killdisk-variant-hits-financial-organizations-in-latin-america.html