ATK117

Presumed Origin: North Korea < Back

Alias: APT 38, APT38, Bluenoroff, Stardust Chollima, Subgroup: Bluenoroff

According to the information available to us, it would appear that ATK117 (APT38) is a North Korean state-sponsored cyberthreat actor with prerogatives similar to those of Unit 180 of the North Korean Army's General Reconnaissance Bureau. The Unit 180 is the North Korean Unit in charge of obtaining funds for the cyber activity and for the Noth Korean regime. This activity exist since at least 2014 and seems to has been increasing since North Korea has been subject to severe financial sanctions due to the development of new weapons. The economic pressure on Pyongyang leads the North Korean government to find new ways to obtain funding.

 

APT38 is a North Korean financially motivated threat group who developed multiple ways to steal money from the targeted attacks on banks and cryptocurrency exchanges to the spreading of ransomwares. This group seems to be learning about financial transaction in 2014 and developed a SWIFT malware in 2015. From 2014 to 2017 they mostly target organizations from Southeast Asia and expand to South America and Africa in mid-2016. They also targeted Europe and North America from October 2016 to October 2017.

 

APT38 has a complete arsenal of malwares and tools using defense evansion techniques and false flags (use of some poorly translated Russian language in some malwares, re-useage of known malwares). It is possible that these malwares were developped by another Unit (such as Unit 31), these techniques could be used by other North Korean groups. Despite this arsenal, APT38 uses Live-of-the-Land tools when it is possible. They put an effort into discovert the targeted environment and maintain acces as long as possible while staying undeteced unitil they reach their goal. FireEye estimate that they stay in a victim network approximately 155 days.

 

Since 2018 the group gone from stealthy to noisy using the destructive KillDisk malware as a distraction tactic while they are targeting the SWIFT network to initiate malicious transations.

 

We suspect the Unit 180 to be source of the WannaCry ransomware in 2017.

 

The report from the UN Security Council said that North Korea is carrying out "widespread and increasingly sophisticated" cyberattacks and estimates that North Korea has generated $2 billon.

 

 

REFERENCES

Target sector

  • Aerospace
  • Energy
  • Financial Services
  • Healthcare
  • Manufacturing
  • Media

Target countries

  • Bangladesh
  • Brazil
  • Chile
  • Malaysia
  • Mexico
  • Philippines
  • Poland
  • Russian Federation
  • Taiwan
  • Turkey
  • United States Of America
  • Uruguay
  • Viet Nam

Attack pattern

  • T1003 - Credential Dumping
  • T1013 - Port Monitors
  • T1027 - Obfuscated Files or Information
  • T1036 - Masquerading
  • T1043 - Commonly Used Port
  • T1045 - Software Packing
  • T1046 - Network Service Scanning
  • T1050 - New Service
  • T1055 - Process Injection
  • T1056 - Input Capture
  • T1057 - Process Discovery
  • T1059 - Command-Line Interface
  • T1060 - Registry Run Keys / Startup Folder
  • T1063 - Security Software Discovery
  • T1065 - Uncommonly Used Port
  • T1070 - Indicator Removal on Host
  • T1071 - Standard Application Layer Protocol
  • T1076 - Remote Desktop Protocol
  • T1078 - Valid Accounts
  • T1079 - Multilayer Encryption
  • T1082 - System Information Discovery
  • T1083 - File and Directory Discovery
  • T1087 - Account Discovery
  • T1090 - Connection Proxy
  • T1099 - Timestomp
  • T1105 - Remote File Copy
  • T1107 - File Deletion
  • T1112 - Modify Registry
  • T1115 - Clipboard Data
  • T1123 - Audio Capture
  • T1135 - Network Share Discovery
  • T1140 - Deobfuscate/Decode Files or Information
  • T1189 - Drive-by Compromise
  • T1190 - Exploit Public-Facing Application
  • T1193 - Spearphishing Attachment
  • T1204 - User Execution
  • T1485 - Data Destruction
  • T1486 - Data Encrypted for Impact
  • T1487 - Disk Structure Wipe
  • T1492 - Stored Data Manipulation
  • T1493 - Transmitted Data Manipulation
  • T1494 - Runtime Data Manipulation

Motivation

  • Financial Gain

Malwares

  • DYEPACK
  • DarkComet
  • HERMES
  • HOTWAX
  • JspSpy
  • KEYLIME
  • KillDisk
  • MAPMAKER
  • NACHOCHEESE
  • NESTEGG
  • QUICKCAFE
  • QUICKRIDE
  • RATANKBAPOS
  • RAWHIDE
  • REDSHAWL
  • SCRUBBRUSH
  • SHADYCAT
  • SLIMDOWN
  • SMOOTHRIDE
  • SORRYBRUTE
  • WHITEOUT
  • WORMHOLE
  • WannaCry

Vulnerabilities

  • CVE-2015-8651
  • CVE-2016-1019
  • CVE-2016-4119