APT38 | APT Profile

Description

[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, [APT38](https://attack.mitre.org/groups/G0082) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://attack.mitre.org/groups/G0082) stole $81 million, as well as attacks against Bancomext (Citation: FireEye APT38 Oct 2018) and Banco de Chile (Citation: FireEye APT38 Oct 2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.

Techniques Used (TTPs)

T1486 — Data Encrypted for Impact (impact)
T1055 — Process Injection (defense-evasion, privilege-escalation)
T1033 — System Owner/User Discovery (discovery)
T1112 — Modify Registry (defense-evasion, persistence)
T1049 — System Network Connections Discovery (discovery)
T1070.004 — File Deletion (defense-evasion)
T1036.006 — Space after Filename (defense-evasion)
T1056.001 — Keylogging (collection, credential-access)
T1518.001 — Security Software Discovery (discovery)
T1543.003 — Windows Service (persistence, privilege-escalation)
T1548.002 — Bypass User Account Control (privilege-escalation, defense-evasion)
T1189 — Drive-by Compromise (initial-access)
T1083 — File and Directory Discovery (discovery)
T1059.003 — Windows Command Shell (execution)
T1140 — Deobfuscate/Decode Files or Information (defense-evasion)
T1059.005 — Visual Basic (execution)
T1529 — System Shutdown/Reboot (impact)
T1204.001 — Malicious Link (execution)
T1071.001 — Web Protocols (command-and-control)
T1105 — Ingress Tool Transfer (command-and-control)
T1562.003 — Impair Command History Logging (defense-evasion)
T1027.002 — Software Packing (defense-evasion)
T1217 — Browser Information Discovery (discovery)
T1070.001 — Clear Windows Event Logs (defense-evasion)
T1218.005 — Mshta (defense-evasion)
T1070.006 — Timestomp (defense-evasion)
T1485 — Data Destruction (impact)
T1110 — Brute Force (credential-access)
T1135 — Network Share Discovery (discovery)
T1553.005 — Mark-of-the-Web Bypass (defense-evasion)
T1082 — System Information Discovery (discovery)
T1565.002 — Transmitted Data Manipulation (impact)
T1561.002 — Disk Structure Wipe (impact)
T1036.003 — Rename Legitimate Utilities (defense-evasion)
T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
T1588.002 — Tool (resource-development)
T1505.003 — Web Shell (persistence)
T1115 — Clipboard Data (collection)
T1562.004 — Disable or Modify System Firewall (defense-evasion)
T1218.011 — Rundll32 (defense-evasion)
T1565.003 — Runtime Data Manipulation (impact)
T1583.001 — Domains (resource-development)
T1106 — Native API (execution)
T1218.001 — Compiled HTML File (defense-evasion)
T1562.001 — Disable or Modify Tools (defense-evasion)
T1204.002 — Malicious File (execution)
T1565.001 — Stored Data Manipulation (impact)
T1005 — Data from Local System (collection)
T1059.001 — PowerShell (execution)
T1053.003 — Cron (execution, persistence, privilege-escalation)
T1566.001 — Spearphishing Attachment (initial-access)
T1218.007 — Msiexec (defense-evasion)
T1569.002 — Service Execution (execution)
T1480.002 — Mutual Exclusion (defense-evasion)
T1057 — Process Discovery (discovery)

Total TTPs: 55

Malware & Tools

Malware: DarkComet, ECCENTRICBANDWAGON, HOPLIGHT, KillDisk

Tools: Mimikatz, Net

← Return to Home ← Back to APT Search