# APT38 **attack.mitre.org/groups/G0082** [APT38 is a North Korean state-sponsored threat group that specializes in financial cyber](https://attack.mitre.org/groups/G0082) [operations; it has been attributed to the Reconnaissance General Bureau.[1]](https://us-cert.cisa.gov/ncas/alerts/aa20-239a) Active since at least 2014, [APT38 has targeted banks, financial institutions, casinos, cryptocurrency](https://attack.mitre.org/groups/G0082) exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. [Significant operations include the 2016 Bank of Bangladesh heist, during which APT38](https://attack.mitre.org/groups/G0082) stole $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018); [some of their attacks have been destructive.[1][2][3][4]](https://us-cert.cisa.gov/ncas/alerts/aa20-239a) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups. ## ID: G0082 ⓘ ## Associated Groups: NICKEL GLADSTONE, BeagleBoyz, Bluenoroff, Stardust Chollima Version: 2.0 Created: 29 January 2019 Last Modified: 18 January 2022 [Version Permalink](https://attack.mitre.org/versions/v11/groups/G0082/) [Live Version](https://attack.mitre.org/versions/v11/groups/G0082/) **Domain** **ID** **Name** **Use** ----- **Domain** **ID** **Name** **Use** Enterprise [T1071](https://attack.mitre.org/techniques/T1071) [.001](https://attack.mitre.org/techniques/T1071/001) Application Layer Protocol: Web Protocols Enterprise [T1217](https://attack.mitre.org/techniques/T1217) Browser [Bookmark](https://attack.mitre.org/techniques/T1217) Discovery [APT38 has](https://attack.mitre.org/groups/G0082) collected browser bookmark information to learn more about compromised hosts, obtain personal information about users, and acquire details about internal network [resources.[1]](https://us-cert.cisa.gov/ncas/alerts/aa20-239a) [APT38 used a backdoor,](https://attack.mitre.org/groups/G0082) QUICKRIDE, to communicate to the C2 server over HTTP and [HTTPS.[2]](https://content.fireeye.com/apt/rpt-apt38) [APT38 has used](https://attack.mitre.org/groups/G0082) PowerShell to execute commands and other [operational tasks.[1]](https://us-cert.cisa.gov/ncas/alerts/aa20-239a) Enterprise [T1110](https://attack.mitre.org/techniques/T1110) [Brute Force](https://attack.mitre.org/techniques/T1110) [APT38 has used](https://attack.mitre.org/groups/G0082) brute force techniques to attempt account access when passwords are unknown or when password hashes [are unavailable.[1]](https://us-cert.cisa.gov/ncas/alerts/aa20-239a) Enterprise [T1115](https://attack.mitre.org/techniques/T1115) [Clipboard Data](https://attack.mitre.org/techniques/T1115) [APT38 used a](https://attack.mitre.org/groups/G0082) Trojan called KEYLIME to collect data from the [clipboard.[2]](https://content.fireeye.com/apt/rpt-apt38) Enterprise [T1059](https://attack.mitre.org/techniques/T1059) [.001](https://attack.mitre.org/techniques/T1059/001) Command and [Scripting](https://attack.mitre.org/techniques/T1059) Interpreter: [PowerShell](https://attack.mitre.org/techniques/T1059/001) ----- **Domain** **ID** **Name** **Use** [.003](https://attack.mitre.org/techniques/T1059/003) Command and [Scripting](https://attack.mitre.org/techniques/T1059) Interpreter: Windows Command Shell [.005](https://attack.mitre.org/techniques/T1059/005) Command and [Scripting](https://attack.mitre.org/techniques/T1059) Interpreter: Visual Basic Enterprise [T1543](https://attack.mitre.org/techniques/T1543) [.003](https://attack.mitre.org/techniques/T1543/003) Create or Modify System Process: [Windows Service](https://attack.mitre.org/techniques/T1543/003) Enterprise [T1485](https://attack.mitre.org/techniques/T1485) [Data Destruction](https://attack.mitre.org/techniques/T1485) [APT38 has used a](https://attack.mitre.org/groups/G0082) custom secure delete function to make deleted files [unrecoverable.[2]](https://content.fireeye.com/apt/rpt-apt38) [APT38 has used a](https://attack.mitre.org/groups/G0082) command-line tunneler, NACHOCHEESE, to give them shell access to a [victim’s machine.[2]](https://content.fireeye.com/apt/rpt-apt38) [APT38 has used VBScript](https://attack.mitre.org/groups/G0082) to execute commands and [other operational tasks.[1]](https://us-cert.cisa.gov/ncas/alerts/aa20-239a) Enterprise [T1486](https://attack.mitre.org/techniques/T1486) Data Encrypted for Impact Enterprise [T1005](https://attack.mitre.org/techniques/T1005) Data from Local System [APT38 has used](https://attack.mitre.org/groups/G0082) Hermes ransomware to encrypt files with [AES256.[2]](https://content.fireeye.com/apt/rpt-apt38) [APT38 has](https://attack.mitre.org/groups/G0082) collected data from a compromised [host.[1]](https://us-cert.cisa.gov/ncas/alerts/aa20-239a) [APT38 has installed a new](https://attack.mitre.org/groups/G0082) Windows service to [establish persistence.[1]](https://us-cert.cisa.gov/ncas/alerts/aa20-239a) [APT38 has used](https://attack.mitre.org/groups/G0082) DYEPACK to create, delete, and alter records in databases used for SWIFT [transactions.[2]](https://content.fireeye.com/apt/rpt-apt38) Enterprise [T1565](https://attack.mitre.org/techniques/T1565) [.001](https://attack.mitre.org/techniques/T1565/001) [Data Manipulation:](https://attack.mitre.org/techniques/T1565) Stored Data Manipulation [.002](https://attack.mitre.org/techniques/T1565/002) [Data Manipulation:](https://attack.mitre.org/techniques/T1565) Transmitted Data Manipulation [APT38 has used](https://attack.mitre.org/groups/G0082) DYEPACK to manipulate SWIFT messages en route [to a printer.[2]](https://content.fireeye.com/apt/rpt-apt38) ----- **Domain** **ID** **Name** **Use** [.003](https://attack.mitre.org/techniques/T1565/003) [Data Manipulation:](https://attack.mitre.org/techniques/T1565) Runtime Data Manipulation Enterprise [T1561](https://attack.mitre.org/techniques/T1561) [.002](https://attack.mitre.org/techniques/T1561/002) [Disk Wipe:](https://attack.mitre.org/techniques/T1561) Disk Structure Wipe [APT38 has used](https://attack.mitre.org/groups/G0082) DYEPACK.FOX to manipulate PDF data as it is accessed to remove traces of fraudulent SWIFT transactions from the data [dis[2]](https://content.fireeye.com/apt/rpt-apt38) played to the end user. [APT38 has used a custom](https://attack.mitre.org/groups/G0082) MBR wiper named BOOTWRECK to render [systems inoperable.[2]](https://content.fireeye.com/apt/rpt-apt38) Enterprise [T1189](https://attack.mitre.org/techniques/T1189) Drive-by Compromise Enterprise [T1083](https://attack.mitre.org/techniques/T1083) File and Directory Discovery [APT38 has](https://attack.mitre.org/groups/G0082) conducted watering holes schemes to gain initial access to [victims.[2][1]](https://content.fireeye.com/apt/rpt-apt38) [APT38 have](https://attack.mitre.org/groups/G0082) enumerated files and directories, or searched in specific locations within a [co[1]](https://us-cert.cisa.gov/ncas/alerts/aa20-239a) mpromised host. Enterprise [T1562](https://attack.mitre.org/techniques/T1562) [.003](https://attack.mitre.org/techniques/T1562/003) [Impair Defenses:](https://attack.mitre.org/techniques/T1562) Impair Command History Logging [.004](https://attack.mitre.org/techniques/T1562/004) [Impair Defenses:](https://attack.mitre.org/techniques/T1562) Disable or Modify System Firewall [APT38 has prepended a](https://attack.mitre.org/groups/G0082) space to all of their terminal commands to operate without leaving traces in the HISTCONTROL [environment.[1]](https://us-cert.cisa.gov/ncas/alerts/aa20-239a) [APT38 have created](https://attack.mitre.org/groups/G0082) firewall exemptions on specific ports, including ports 443, 6443, 8443, and [9443.[1]](https://us-cert.cisa.gov/ncas/alerts/aa20-239a) ----- **Domain** **ID** **Name** **Use** Enterprise [T1070](https://attack.mitre.org/techniques/T1070) [.001](https://attack.mitre.org/techniques/T1070/001) Indicator Removal on Host: Clear [Windows Event](https://attack.mitre.org/techniques/T1070/001) Logs [.004](https://attack.mitre.org/techniques/T1070/004) Indicator Removal on Host: File Deletion [.006](https://attack.mitre.org/techniques/T1070/006) Indicator Removal on Host: [Timestomp](https://attack.mitre.org/techniques/T1070/006) [APT38 clears Window](https://attack.mitre.org/groups/G0082) Event logs and Sysmon [logs from the system.[2]](https://content.fireeye.com/apt/rpt-apt38) [APT38 has used a utility](https://attack.mitre.org/groups/G0082) called CLOSESHAVE that can securely delete a file from the system. They have also removed malware, tools, or other non-native files used during the intrusion to reduce their footprint or as part of the post-intrusion [cleanup process.[2][1]](https://content.fireeye.com/apt/rpt-apt38) Enterprise [T1105](https://attack.mitre.org/techniques/T1105) Ingress Tool Transfer [APT38 used a](https://attack.mitre.org/groups/G0082) backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s [machine.[2]](https://content.fireeye.com/apt/rpt-apt38) [APT38 has modified data](https://attack.mitre.org/groups/G0082) timestamps to mimic files that are in the same folder [on a compromised host.[1]](https://us-cert.cisa.gov/ncas/alerts/aa20-239a) [APT38 used a Trojan](https://attack.mitre.org/groups/G0082) called KEYLIME to capture keystrokes from the [victim’s machine.[2]](https://content.fireeye.com/apt/rpt-apt38) Enterprise [T1056](https://attack.mitre.org/techniques/T1056) [.001](https://attack.mitre.org/techniques/T1056/001) [Input Capture:](https://attack.mitre.org/techniques/T1056) [Keylogging](https://attack.mitre.org/techniques/T1056/001) Enterprise [T1112](https://attack.mitre.org/techniques/T1112) [Modify Registry](https://attack.mitre.org/techniques/T1112) [APT38 uses a tool](https://attack.mitre.org/groups/G0082) called CLEANTOAD that has the capability to modify Registry [keys.[2]](https://content.fireeye.com/apt/rpt-apt38) ----- **Domain** **ID** **Name** **Use** Enterprise [T1106](https://attack.mitre.org/techniques/T1106) [Native API](https://attack.mitre.org/techniques/T1106) [APT38 has used](https://attack.mitre.org/groups/G0082) the Windows API to execute code within a victim's [system.[1]](https://us-cert.cisa.gov/ncas/alerts/aa20-239a) Enterprise [T1135](https://attack.mitre.org/techniques/T1135) Network Share Discovery [APT38 has](https://attack.mitre.org/groups/G0082) enumerated network shares on a compromised [host.[1]](https://us-cert.cisa.gov/ncas/alerts/aa20-239a) Enterprise [T1027](https://attack.mitre.org/techniques/T1027) [.002](https://attack.mitre.org/techniques/T1027/002) Obfuscated Files or Information: [Software Packing](https://attack.mitre.org/techniques/T1027/002) Enterprise [T1588](https://attack.mitre.org/techniques/T1588) [.002](https://attack.mitre.org/techniques/T1588/002) Obtain Capabilities: [Tool](https://attack.mitre.org/techniques/T1588/002) Enterprise [T1566](https://attack.mitre.org/techniques/T1566) [.001](https://attack.mitre.org/techniques/T1566/001) [Phishing:](https://attack.mitre.org/techniques/T1566) Spearphishing Attachment [APT38 has used several](https://attack.mitre.org/groups/G0082) code packing methods such as Themida, Enigma, VMProtect, and Obsidium, [to pack their implants.[2]](https://content.fireeye.com/apt/rpt-apt38) [APT38 has obtained and](https://attack.mitre.org/groups/G0082) used open-source tools such as [Mimikatz.[8]](https://attack.mitre.org/software/S0002) Enterprise [T1057](https://attack.mitre.org/techniques/T1057) Process Discovery [APT38 leveraged](https://attack.mitre.org/groups/G0082) Sysmon to understand the processes, services in the [organization.[2]](https://content.fireeye.com/apt/rpt-apt38) [APT38 has conducted](https://attack.mitre.org/groups/G0082) spearphishing campaigns using malicious email [attachments.[1]](https://us-cert.cisa.gov/ncas/alerts/aa20-239a) [APT38 has used cron to](https://attack.mitre.org/groups/G0082) create pre-scheduled and periodic background jobs [on a Linux system.[1]](https://us-cert.cisa.gov/ncas/alerts/aa20-239a) Enterprise [T1053](https://attack.mitre.org/techniques/T1053) [.003](https://attack.mitre.org/techniques/T1053/003) Scheduled Task/Job: [Cron](https://attack.mitre.org/techniques/T1053/003) ----- **Domain** **ID** **Name** **Use** [.005](https://attack.mitre.org/techniques/T1053/005) Scheduled Task/Job: [Scheduled Task](https://attack.mitre.org/techniques/T1053/005) Enterprise [T1505](https://attack.mitre.org/techniques/T1505) [.003](https://attack.mitre.org/techniques/T1505/003) Server Software Component: Web Shell Enterprise [T1518](https://attack.mitre.org/techniques/T1518) [.001](https://attack.mitre.org/techniques/T1518/001) Software Discovery: Security Software Discovery Enterprise [T1218](https://attack.mitre.org/techniques/T1218) [.001](https://attack.mitre.org/techniques/T1218/001) System Binary Proxy Execution: Compiled HTML File [.011](https://attack.mitre.org/techniques/T1218/011) System Binary Proxy Execution: [Rundll32](https://attack.mitre.org/techniques/T1218/011) [APT38 has used](https://attack.mitre.org/groups/G0082) rundll32.exe to execute binaries, scripts, and Control Panel Item files and to execute code via proxy to avoid triggering [security tools.[1]](https://us-cert.cisa.gov/ncas/alerts/aa20-239a) [APT38 has used Task](https://attack.mitre.org/groups/G0082) Scheduler to run programs at system startup or on a scheduled basis for [persistence.[1]](https://us-cert.cisa.gov/ncas/alerts/aa20-239a) [APT38 has used web](https://attack.mitre.org/groups/G0082) shells for persistence or to [en[1]](https://us-cert.cisa.gov/ncas/alerts/aa20-239a) sure redundant access. [APT38 has identified](https://attack.mitre.org/groups/G0082) security software, configurations, defensive tools, and sensors installed [on[1]](https://us-cert.cisa.gov/ncas/alerts/aa20-239a) a compromised system. [APT38 has used CHM files](https://attack.mitre.org/groups/G0082) to move concealed [payloads.[9]](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf) Enterprise [T1082](https://attack.mitre.org/techniques/T1082) System [Information](https://attack.mitre.org/techniques/T1082) Discovery [APT38 has](https://attack.mitre.org/groups/G0082) attempted to get detailed information about a compromised host, including the operating system, version, patches, hotfixes, and [service packs.[1]](https://us-cert.cisa.gov/ncas/alerts/aa20-239a) ----- **Domain** **ID** **Name** **Use** Enterprise [T1049](https://attack.mitre.org/techniques/T1049) System Network [Connections](https://attack.mitre.org/techniques/T1049) Discovery Enterprise [T1033](https://attack.mitre.org/techniques/T1033) System [Owner/User](https://attack.mitre.org/techniques/T1033) Discovery [APT38 installed a](https://attack.mitre.org/groups/G0082) port monitoring tool, MAPMAKER, to print the active TCP connections on the local [system.[2]](https://content.fireeye.com/apt/rpt-apt38) [APT38 has](https://attack.mitre.org/groups/G0082) identified primary users, currently logged in users, sets of users that commonly use a system, or inactive [users.[1]](https://us-cert.cisa.gov/ncas/alerts/aa20-239a) Enterprise [T1569](https://attack.mitre.org/techniques/T1569) [.002](https://attack.mitre.org/techniques/T1569/002) [System Services:](https://attack.mitre.org/techniques/T1569) [Service Execution](https://attack.mitre.org/techniques/T1569/002) Enterprise [T1529](https://attack.mitre.org/techniques/T1529) System Shutdown/Reboot [APT38 has used a](https://attack.mitre.org/groups/G0082) custom MBR wiper named BOOTWRECK, which will initiate a system reboot after wiping the victim's [MBR.[2]](https://content.fireeye.com/apt/rpt-apt38) [APT38 has created new](https://attack.mitre.org/groups/G0082) services or modified existing ones to run executables, commands, [or scripts.[1]](https://us-cert.cisa.gov/ncas/alerts/aa20-239a) [APT38 has attempted to](https://attack.mitre.org/groups/G0082) lure victims into enabling malicious macros within [email attachments.[1]](https://us-cert.cisa.gov/ncas/alerts/aa20-239a) Enterprise [T1204](https://attack.mitre.org/techniques/T1204) [.002](https://attack.mitre.org/techniques/T1204/002) [User Execution:](https://attack.mitre.org/techniques/T1204) [Malicious File](https://attack.mitre.org/techniques/T1204/002) -----