APT38 Threat Actor Profile

Executive Summary

This report is a threat actor profile on APT38 and the various operations the group engages in. APT38 is a nation-state level threat group associated with the North Korean regime whose sole purpose is to collect sensitive financial data. The financial data is often collected from banks and other institutions to capture hard currency, such as USD, for the Kim regime.

APT38 Tactics, Techniques, and Procedures

The threat actor has a specific lifecycle that most of its campaigns typically fall under, with some variance for specialized environments. The bad actor starts by exploiting vulnerable public-facing infrastructure, such as web servers with an unpatched Apache Struts deployment. They use a mix of custom and common security assessment tools to perform lateral movement into the internal network. APT38 then uses customized malware to maintain persistence on a machine where they will launch privilege escalation attacks (using a tool like Mimikatz). As they assess the network via internal reconnaissance, the bad actor will be looking for the SWIFT transaction system. Once the SWIFT transaction system has been identified, the threat actor will look for weaknesses by studying how the system is monitored and configured. The ideal weakness will allow them to install a backdoor on both the SWIFT transaction system and the surrounding monitoring devices.

Please see the graphic below for an overview of the attacker’s lifecycle:

APT38 Threat Actor — **Taken from:** https://www.fireeye.com/blog/threat-research/2018/10/apt38-details-on-new-north-korean-regime-backed-threat-group.html

Once the bad actor installs a backdoor on any system related to transaction processing, they’ll start to move funds to illicit accounts over an extended period. When transfers are complete, APT38 will begin scrubbing the environment of evidence. It will start with the deletion of Windows event logs, deletion of malware artifacts, memory scrubbing, and much more!

Strategic Impact of APT38

May lead to the loss of sensitive user credentials and the compromise of high-value user accounts.
Could result in the loss of monetary funds via illicit transactions using your processing infrastructure.
May lead to regulatory fines if a successful compromise occurs, such as GDPR or PCI DSS penalties. This will be the case if gross negligence is discovered.

Our Recommendations

It is highly encouraged that you patch your public-facing infrastructure if the impact is minimal to your business operations. Consider using the Mimikatz defense guide linked below to improve your defensive posture.

Sources

APT38, NICKEL GLADSTONE, BeagleBoyz, Bluenoroff, Stardust Chollima, Group G0082 – Mitre ATT&CK (October 2021)

Supporting Documentation

APT Campaign Collection – GitHub
APT38: Details on New North Korean Regime-Backed Threat Group – Mandiant (October 2018)
Mimikatz Defense Guide (Mitigations against Mimikatz Style Attacks) – Internet Storm Center, Rob VandenBrink (February 2019)

MITRE Mapping(s)

DarkComet, Software S0334 – Mitre ATT&CK (March 2020)
Mimikatz, Software S0002 – Mitre ATT&CK (May 2021)
Net, Software S0039 – Mitre ATT&CK (October 2021)

Exploit Public-Facing Application, Technique T1190 - Enterprise – Mitre ATT&CK (July 2021)

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Chat With One of Our Experts

Threat Report ransomware threat actor APT38 Blog