This report is a threat actor profile on APT38 and the various operations the group engages in. APT38 is a nation-state level threat group associated with the North Korean regime whose sole purpose is to collect sensitive financial data. The financial data is often collected from banks and other institutions to capture hard currency, such as USD, for the Kim regime.
The threat actor has a specific lifecycle that most of its campaigns typically fall under, with some variance for specialized environments. The bad actor starts by exploiting vulnerable public-facing infrastructure, such as web servers with an unpatched Apache Struts deployment. They use a mix of custom and common security assessment tools to perform lateral movement into the internal network. APT38 then uses customized malware to maintain persistence on a machine where they will launch privilege escalation attacks (using a tool like Mimikatz). As they assess the network via internal reconnaissance, the bad actor will be looking for the SWIFT transaction system. Once the SWIFT transaction system has been identified, the threat actor will look for weaknesses by studying how the system is monitored and configured. The ideal weakness will allow them to install a backdoor on both the SWIFT transaction system and the surrounding monitoring devices.
Please see the graphic below for an overview of the attacker’s lifecycle:
Once the bad actor installs a backdoor on any system related to transaction processing, they’ll start to move funds to illicit accounts over an extended period. When transfers are complete, APT38 will begin scrubbing the environment of evidence. It will start with the deletion of Windows event logs, deletion of malware artifacts, memory scrubbing, and much more!
It is highly encouraged that you patch your public-facing infrastructure if the impact is minimal to your business operations. Consider using the Mimikatz defense guide linked below to improve your defensive posture.
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.