North Korean Threat Group APT38 Threat Intel Advisory

###### Advisory Adversary Intelligence
###### Name APT38
###### Origin North Korea
###### Target Financial Sectors – Banks
###### Targeted Countries Russia, Poland, Uruguay, US, Mexico, Chile, Brazil, Turkey, India, Bangladesh, Malaysia, Taiwan, Vietnam, Philippines

Executive Summary

APT38 is a state-sponsored North Korean threat group, known to mainly target the financial sector; the first appearance of this group was back in 2014. As the main focus of this group is the finance industry, they use SWIFT fraud to steal money from infected organizations, where most of their victims have been identified to use SWIFT tools. APT38 uses tools and malware that are part of Lazarus and TEMP.Hermit groups’ arsenal. These criminal gangs are also North Korean state-sponsored threats groups, but with different target types. Recent activities of APT38 indicates that the threat group uses reconnaissance to gather information on Indian banking infrastructure, with the intention of carrying out further attacks.


Technical Impact
  • System infrastructure destruction
  • Data encryption
Business Impact
  • Financial loss of the targeted organization
  • Espionage
  • Data leakage
  • Data loss


  • Use up-to-date software
  • Apply regular backup for data
  • Apply least privilege access for files and directories
  • Encrypt sensitive information
  • Restrict web-based content
  • Keep remote data storage

Technical Analysis


  • The group initially gathers as much information as possible about their target, starting by collecting information either about one of the target’s personnels or third party vendors (SWIFT systems).
  • After gathering information, the attackers initialize the access by using the method of Watering Hole attack, or the attackers leverage any existing outdated Linux server with vulnerabilities.
  • In the next step they conduct internal reconnaissance of the infected environment by using a set of malwares and internal tools to scan the system.
  • Once the attackers gather the required information, they start pivoting to SWIFT servers (if there is any) and install the malware necessary to conduct the reconnaissance in infected servers and implant backdoors within those servers.
  • In this stage the attackers start executing malwares that enable them to insert fraudulent SWIFT transactions to transfer money to other accounts that could be located in other countries.
  • In the final stage the attackers try to destroy any evidence of their existence in the infected system. The actions that are taken include deletion of log files, disk-wiping, and in some cases they may even use ransomware to thwart future detection.