legal contact rss

APT 038

Suspected attribution: North Korea

Target sectors: Banks worldwide


Overview: We believe APT38’s financial motivation, unique toolset, and tactics, techniques and procedures (TTPs) observed during their carefully executed operations are distinct enough to be tracked separately from other North Korean cyber activity. There are many overlapping characteristics with other operations, known as “Lazarus” and the actor we call TEMP.Hermit; however, we believe separating this group will provide defenders with a more focused understanding of the adversary and allow them to prioritize resources and enable defense. The following are some of the ways APT38 is different from other North Korean actors, and some of the ways they are similar:

Associated malware: A diverse suite of malware for initial intrusion and exfiltration. Along with custom malware used for espionage purposes, APT37 also has access to destructive malware.

Attack vectors

  1. Information Gathering: Conducted research into an organization’s personnel and targeted third party vendors with likely access to SWIFT transaction systems to understand the mechanics of SWIFT transactions on victim networks (Please note: The systems in question are those used by the victim to conduct SWIFT transactions. At no point did we observe these actors breach the integrity of the SWIFT system itself.).
  2. Initial Compromise: Relied on watering holes and exploited an insecure out-of-date version of Apache Struts2 to execute code on a system.
  3. Internal Reconnaissance: Deployed malware to gather credentials, mapped the victim’s network topology, and used tools already present in the victim environment to scan systems.
  4. Pivot to Victim Servers Used for SWIFT Transactions: Installed reconnaissance malware and internal network monitoring tools on systems used for SWIFT to further understand how they are configured and being used. Deployed both active and passive backdoors on these systems to access segmented internal systems at a victim organization and avoid detection.
  5. Transfer funds: Deployed and executed malware to insert fraudulent SWIFT transactions and alter transaction history. Transferred funds via multiple transactions to accounts set up in other banks, usually located in separate countries to enable money laundering.
  6. Destroy Evidence: Securely deleted logs, as well as deployed and executed disk-wiping malware, to cover tracks and disrupt forensic analysis.


A public report by Group-IB indicated APT38 logged into watering hole domains associated with ([.] uy, cnbv.gob[.]mx[.]pl) from two IPs ( and within the same North Korean IP ranges. — A report by Kaspersky indicates APT38 also logged into an Apache Tomcat server used to host its malicious files from the same IP range ( - in January 2017.

North Korean IP Address Range Description – IP range registered to a company in Pyongyang – IP range registered to a company in China but leased to North Korea





Used Malware/Tools



Detected as


BLINDTOAD is 64-bit Service DLL that loads an encrypted file from disk and executes it in memory.

  • FE_APT_Loader_Win64_BLINDTOAD_1


BOOTWRECK is a master boot record wiper malware.

  • FE_APT_Wiper_Win32_BOOTWRECK_1
 CHEESETRAY CHEESETRAY is a sophisticated proxy-aware backdoor that can operate in both
  • FE_APT_Backdoor_Win64_CHEESETRAY_1 active and passive mode depending on the passed command-line parameters. 
  • FE_APT_Backdoor_Win_CHEESETRAY_1 The backdoor is capable of enumerating files and processes, enumerating 
  • APT.Backdoor.Win.CHEESETRAY drivers, enumerating remote desktop sessions, uploading and downloading files, creating and terminating processes, deleting files, creating a reverse shell, acting as a proxy server, and hijacking processes among its other functionality. The backdoor communicates with its C&C server using a custom binary protocol over TCP with port specified as a command-line parameter.



CLEANTOAD is a disruption tool that will delete file system artifacts, including those related to BLINDTOAD, and will run after a date obtained from a configuration file. The malware injects shellcode into notepad.exe and it overwrites and deletes files, modifies registry keys, deletes services, and clears Windows event logs.

  • FE_APT_HackTool_Win_CLEANTOAD_1
 CLOSESHAVE  CLOSESHAVE is a secure deletion utility that expects single command line

parameter that is a path to an existing file on the system. It overwrites the file with null bytes, changes the file name, and deletes the file.




DarkComet is a publicly available remote access Trojan (RAT) capable of more than 60 different functions, including collecting system information, controlling all processes currently running on an infected system, viewing and modifying registries, creating a reverse shell, modifying or adding start-up processes and services, keylogging, stealing credentials, recording audio, scanning networks, locking, restarting and shutting down infected systems, updating malware with a new command and control (C&C) server or new functionality, and downloading, modifying, and uploading files.

•   Backdoor.DarkComet Trojan.DarkComet

•   Backdoor.Fynloski

•   Trojan.Fynloski


DYEPACK is a malware suite that manipulates local information regarding SWIFT transaction activity. DYEPACK would most likely be used to cover the traces of fraudulent SWIFT transactions that were performed via other tools or tactics. Variants of this malware may have been intended for deployment within multiple financial institutions targeted by likely related malicious activity.

However, its actual deployment has not been confirmed in all of these cases.

• Hacktool.APT.DYEPACK


Variant of DYEPACK utility. DYEPACK.FOX has the ability to manipulate PDF documents containing records of SWIFT messages.

• Hacktool.APT.DYEPACK


HERMES is a multi-threaded ransomware that enumerates all logical drives on a system and starts a new encryption thread for each drive. It attempts to encrypt all files using AES256 encryption that return FILE_ATTRIBUTE_ NORMAL for GetFileAttributes requests. HERMES will attempt to create and display a file on the desktop called DECRYPT_INFORMATION.txt containing the ransom instructions.

  • FE_APT_Ransomware_HERMES_1
  • FE_APT_Ransomware_Win_HERMES_1
  • FE_APT_FIN_Ransomware_HERMES
  • FE_Ransomware_Win32_HERMES_1
  • Ransomware.Hermes.DNS
  • Ransomware.Hermes
  • RansomDownloader.Hermes


HOTWAX is a module that upon starting imports all necessary system API functions, and searches for a .CHM file. HOTWAX decrypts a payload using the Spritz algorithm with a hard-coded key and then searches the target process and attempts to inject the decrypted payload module from the CHM file into the address space of the target process.

  • FE_APT_Trojan_Win64_HOTWAX_1


JspSpy is a publicly available web shell that has been posted on One publicly available version says "Code By Ninty"

  • FE_Webshell_JSP_JSPSPY_1
  • FE_Webshell_Java_JSPSPY_1
  • Webshell.JSP.JSPSPY


KEYLIME is a keylogger and clipboard logger that encodes the results to a log file.

  • FE_Hacktool_KEYLIME
  • FE_Trojan_KEYLIME


MAPMAKER is a reconnaissance tool that enumerates and prints active TCP connections on the local system. It queries the operating system for the IPv4 TCP connection table, and writes lines like "<ip>:<port> -> <ip>:<port>" to a log file.

  • FE_APT_HackTool_Win32_MAPMAKER_1


NACHOCHEESE is a command-line tunneler that accepts delimited C&C IPs or domains via command-line and gives actors shell access to a victim's system.



NESTEGG is a memory-only backdoor that can proxy commands to other infected systems using a custom routing scheme. It accepts commands to upload and download files, list and delete files, list and terminate processes, and start processes. NESTEGG also creates Windows Firewall rules that allows the backdoor to bind to a specified port number to allow for inbound traffic.

  • FE_APT_Backdoor_NESTEGG
  • FE_APT_Backdoor_NESTEGG_2
  • FE_APT_Backdoor_NESTEGG_3
  • FE_Backdoor_NestEgg_DLL


QUICKCAFE is an encrypted JavaScript downloader for QUICKRIDE.POWER that exploits the ActiveX M2Soft vulnerabilities. QUICKCAFE is obfuscated using JavaScript Obfuscator.

  • FE_APT_Downloader_JS_QUICKCAFE_1