Mapping To APT38

APT38 is a financially-motivated threat group that is backed by the North Korean regime. The group mainly targets banks and financial institutions and has targeted more than 16 organizations in at least 13 countries since at least 2014. North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea. Some organizations track North Korean clusters or groups such as Bluenoroff, APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.


Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.

Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.

Details
ATT&CK ID: G0082
Associated Groups:  APT38
Note:  This page uses Adversary Group data from MITRE ATT&CK.
ATT&CK Technique Opportunity Space AD Technique Use Case
T1027 - Obfuscated Files or Information In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task. DTE0017 - Decoy System A defender could implement a decoy system to study how and when an adversary obfuscate files and hides information.
T1049 - System Network Connections Discovery There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can manipulate the output of commands commonly used to enumerate a system's network connections. They could seed this output with decoy systems and/or networks or remove legitimate systems from the output in order to direct an adversary away from legitimate systems.
T1056 - Input Capture There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0011 - Decoy Content A defender can feed decoy data to an adversary that is using a key-logger or other tool, so as to shape the encounter.
T1057 - Process Discovery There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can modify commands such that the true list of running processes is not revealed, hiding necessary active defense processes from the adversary.
T1057 - Process Discovery There is an opportunity to present decoy processes to an adversary to influence their behaviors, test their interest, or add legitimacy to a system or environment. DTE0016 - Decoy Process A defender can run decoy processes on a system to entice an adversary.
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can manipulate the output of system commands issued to alter information the adversary might use during their activity.
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can modify the functionality of commands used to delete files so that the files are copied to a safe location before they are deleted.
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0034 - System Activity Monitoring A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system.
T1070 - Indicator Removal on Host In an adversary engagement scenario, there is an opportunity to allow or restrict admin access to support your defensive objectives. DTE0001 - Admin Access A defender can restrict admin access to force an adversary to escalate privileges in order to delete logs and captured artifacts from a system.
T1070 - Indicator Removal on Host There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. DTE0007 - Behavioral Analytics A defender can look for anomalies in how commands are being executed on a system. This can expose potentially malicious activity.
T1071 - Application Layer Protocol There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. DTE0027 - Network Monitoring The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.
T1105 - Ingress Tool Transfer There is an opportunity to collect network data and analyze the adversary activity it contains. DTE0028 - PCAP Collection Collecting full packet capture of all network traffic allows you to review what happened over the connection and identify command and control traffic and/or exfiltration activity.
T1112 - Modify Registry There is an opportunity to utilize known good copies of registry information and restore it if an adversary makes any changes. DTE0006 - Baseline A defender can enable Registry Auditing on specific keys to produce an alerts whenever a value is changed and revert those keys to baseline.
T1112 - Modify Registry There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0034 - System Activity Monitoring A defender can monitor processes and command-line arguments which could be used by an adversary to change or delete information in the Windows registry.
T1115 - Clipboard Data There is an opportunity to introduce data to an adversary to influence their future behaviors. DTE0011 - Decoy Content A defender can insert into a system's clipboard decoy content for the adversary to find.
T1189 - Drive-by Compromise There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0017 - Decoy System A defender can use a decoy system to access a compromised website to see how it works (study the exploit sequence, collect relevant artifacts, etc.).
T1189 - Drive-by Compromise There is an opportunity to discover who or what is being targeting by an adversary. DTE0013 - Decoy Diversity A defender could use a decoy or set of decoys with different network addresses, operating systems, web browsers, language settings, and etc. to determine if every system that visits a compromised website receives its malicious payload or only specific systems receive it.
T1189 - Drive-by Compromise There is an opportunity to use a compromised drive-by site to start long term engagement with the adversary and observe the adversary's post-exploit TTPs. DTE0014 - Decoy Network A defender seeking to learn about post compromise adversary activity could visit the compromised website with a system in a decoy network that has been designed to sustain an adversary engagement past the initial compromise.
T1485 - Data Destruction There is an opportunity to test what an adversary might do if destroyed data is selectively replaced by the defender. DTE0005 - Backup and Recovery A defender can ensure data is backed up on a regular basis and backups are stored offline from the system. If an adversary is detected destroying or altering data, the defender could selectively restore data from backup to see how the adversary reacts.
T1485 - Data Destruction There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. DTE0036 - Software Manipulation A defender can manipulate commands on systems so an adversary is unable delete data in ways they normally would.
T1485 - Data Destruction There is an opportunity to create a detection with a moderately high probability of success. DTE0034 - System Activity Monitoring A defender can use process monitoring to look for the execution of utilities commonly used for data destruction, such as SDelete.
T1486 - Data Encrypted for Impact There is an opportunity to create a detection with a moderately high probability of success. DTE0034 - System Activity Monitoring A defender can use process monitoring to look for the execution of utilities commonly used for ransomware and other data encryption.
T1486 - Data Encrypted for Impact There is an opportunity to test what an adversary might do if encrypted data is selectively replaced by the defender. DTE0005 - Backup and Recovery A defender can ensure data is backed up on a regular basis and backups are stored offline from the system. If an adversary is detected destroying or altering data, the defender could selectively restore data from backup to see how the adversary reacts.
T1529 - System Shutdown/Reboot There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0017 - Decoy System A defender can deploy a decoy system to see if an adversary attempts to shutdown or reboot the device.
T1561 - Disk Wipe There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can modify the functionality of commands that are used to delete files or format drives so they fail when used in a specific manner.
T1565 - Data Manipulation In an adversary engagement scenario, there is an opportunity to observe how an adversary might manipulate data on a system. DTE0011 - Decoy Content A defender can deploy decoy content to see if an adversary attempts to manipulate data on the system or connected storage devices.