Attack Graph Response to US-CERT AA22-108A: North Korean Targeting of Blockchain Companies

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Treasury Department released a joint Cybersecurity Advisory detailing recent targeting of the cryptocurrency and related sectors by the North Korean threat actor commonly known as APT38 or Stardust… Read More

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Treasury Department released a joint Cybersecurity Advisory detailing recent targeting of the cryptocurrency and related sectors by the North Korean threat actor commonly known as APT38 or Stardust Chollima. This actor is responsible for financially-motived cyberattacks against both the traditional financial and the newer cryptocurrency sectors. Active since at least 2014, this group is responsible for the theft of millions of dollars from banks worldwide and millions in cryptocurrency stolen from individual wallets and larger crypto exchanges.

While the techniques leveraged against those financial systems to facilitate the money theft are unique, their attacks start with conventional methods involving spear phishing, downloaders, and using common native operating system commands to learn more about their infected victim. These established techniques are also used by other North Korean sponsored actors and used in their attacks against other targets of North Korean interest.

By using this new attack graph in the AttackIQ Security Optimization Platform, security teams will be able to:

  1. Evaluate security controls against inbound known malware at the network and endpoint attack surface.
  2. Assess security posture for the techniques that have been well documented and long in use by threat actors.
  3. Continuously validate detection and prevention pipelines against an actor that takes additional steps to hide and evade detection.

Click for larger view.

Detection and Mitigation Recommendations

This attack graph emulates an attack using the behaviors exhibited by APT38 during the delivery and installation of their malware. The emulation begins with the downloading of one of their trojanized cryptocurrency software installers and follows through their defense evasion techniques and system profiling steps that leads to the execution of the final Manuscrypt backdoor. Specifically, the attack graph takes the following steps:

Scenario 1: Spearphishing Link (T1566.002)

The threat actors began their campaign by sending large-scale phishing messages to their targets centered around the theme of high-paying job offers. The phishing messages intent is to get the target to download one of the actor’s trojanized software installers. Our attack graph starts from the step that the link was clicked, and the malware is inbound to the victim’s host. This scenario attempts to download the AlticGO sample from an external HTTP server and is attempted to be written to disk. This combination of emulated activities is designed to test both a customer environment’s ability to stop known malicious content in transit over a network and endpoint security controls when written to disk.

1a. Detection Process
Phishing emails typically invoke an interpreter on the system to download malware. Although there are various ways to download files remotely from a device, the most common is using PowerShell. With an EDR solution, creating detections to look for PowerShell being used to download files would be a great step in alarming security analysts of possible compromise:

Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS (“DownloadData” AND “Hidden”)

Additionally, attackers may use other methods of downloading malware such as certutil.exe:

Process Name == Certutil.exe
Command Line Contains (“-urlcache” AND “-f”)

This spear phishing link will download “TraderTraitor” malware with the following hashes:

  • MD5: 1c7d0ae1c4d2c0b70f75eab856327956
  • SHA1: f3263451f8988a9b02268f0fb6893f7c41b906d9
  • SHA256: 765a79d22330098884e0f7ce692d61c
                   40dfcf288826342f33d976d8314cfd819

1b. Mitigation Policies
It is advised that non administrators are prevented from being able to utilize tools such as powershell.exe, cmd.exe, and certutil.exe. This will prevent malicious usage of these tools on end user accounts.

Additionally, deploying an email protection software along with phishing training and awareness can greatly reduce chances of a successful phishing attack.

Scenario 2: Impair Defenses Disable or Modify Tools (T1562.001)

When the malware is first executed, it attempts to weaken the host’s defense by disabling Windows Defender. This scenario emulates that behavior by using the native Windows API to make a modification to the registry that sets the DisableAntiSpyware key to 1.

2a. Detection Process
Threat Actors use PowerShell to utilize Windows API features which can be abused to modify registry key values such as “DisableAntiSpyware.” A good way to detect this activity is as follows:

Process Name == Powershell.exe
Command Line CONTAINS (“New-ItemPropery” AND
“DisableAntiSpyware” AND “Value 1”)

Keep in mind, PowerShell and the Windows API is not the only way to modify these registry settings. Reg.exe may also be utilized to modify registry values as well, and should be monitored thoroughly.

2b. Mitigation Policies
Ensure Group Policy is set to only allow administrators to modify registry keys and utilize software such as cmd.exe, powershell.exe, reg.exe and regedit.exe.

Additionally, ensure that Windows Defender Tamper Protection is turned on to prevent unauthorized disabling of this security control.

Scenario 3: Ingress Tool Transfer (T1105)

The trojanized software installers delivered by the phishing links are used to download a second stage backdoor to the host. In these attacks APT38 was delivering variants of their Manuscrypt backdoor. This scenario performs the same functionality as the first step but using a sample of Manuscrypt instead.

3a. Detection Process
Once a malicious actor has compromised an endpoint, they may attempt to transfer any tools or malware onto the device. Attackers may utilize tools such as PowerShell, Certutil, Bitsadmin, and Curl.

PowerShell Example:

Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest") AND “DownloadData” AND “Hidden”)

Certutil Example:

Process Name == Certutil.exe
Command Line Contains (“-urlcache” AND “-f”)

Bitsadmin Example:

Process Name == Bitsadmin.exe
Command Line CONTAINS (“/transfer” AND “http”)

Curl Example:

Process Name == Curl.exe
Command Line CONTAINS (“http” AND “-o”)

The transferred malware “Manuscrypt” has the following hashes:

  • MD5: 5d43baf1c9e9e3a939e5defd8f8fbd8d
  • SHA1: d5ff73c043f3bb75dd749636307500b60a436550
  • SHA256: 867c8b49d29ae1f6e4a7cd31b6fe7e27
                   8753a1ba03d4be338ed11fd1efc7dd36

3b. Mitigation Policies
It is advised that non administrators are prevented from being able to utilize tools such as powershell.exe, cmd.exe, and certutil.exe. This will prevent malicious usage of these tools on end user accounts.

Scenario 4: Scheduled Task (T1053.005)

A scheduled task is used for persistence and execution of the 2nd stage malware. A threat actor would choose this technique over direct execution to create a process chain disruption between the original trojanized software and the 2nd stage payload. Using a scheduled tasks also ensures that the backdoor is persistently executed at system startup or on a timer. This scenario creates a new scheduled tasks on the host and sets it to execute one time after waiting 60 seconds. The native system tool schtasks is executed through the command line with all the configuration arguments passed in the clear.

4a. Detection Process
Although scheduled tasks are a native windows feature, this can be manipulated by attackers to aid in persistence on the device. If possible, with an EDR or SIEM technology, monitor for the following endpoint behavior to be alerted on possible misusage of the Scheduled Tasks feature:

Process Name == (“cmd.exe” OR “powershell.exe”)
Command Line CONTAINS (“schtasks” AND “/create” AND (“cmd /c” OR “powershell -c”) AND “/RU System”)

Keep in mind, this may bring false positives if benign users are scheduling tasks. If possible, this query should be created to omit administrators that typically utilize this feature, and alert on unusual users running schtasks.exe.

4b. Mitigation Policies
Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl.

The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled.

Additionally, configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority

Scenario 5: System Information Discovery (T1082)

Now that persistence has been achieved, the threat actors will want to being to discovery more about the environment they have infected. Understanding what version of the operating system is running, how much memory is installed, or how much disk space is available, will help inform the actor determine if they have infected their intended target or if it is being analyzed in a sandbox or security researcher environment. This scenario executes the native Windows command systeminfo through the command shell to receive detailed information about the computer.

5a. Detection Process
Process Name == (cmd.exe OR powershell.exe)
Command Line CONTAINS “systeminfo”
User NOT IN User != [<list of expected administrators to be issuing these commands>]

5b. Mitigation Policies
Ensure that Group Policy enforces only authorized users / administrators to be able to run cmd.exe or powershell.exe. These interpreters can be limited to lower privileged or unneeded users to prevent enumeration or abuse.

Scenario 6: Process Discovery (T1057)

A threat actor would want to understand what software is running on a specific host to either identify security software that may inhibit their actions or to illuminate targets of interest running cryptocurrency management software. This scenario executes the native system tool tasklist through the command line with the profiled results saved to a temporary directory.

6a. Detection Process
Using an EDR or SIEM product, use the following parameters for identifying possible enumeration of system processes:

Process Name == (“cmd.exe” OR “powershell.exe”)

Command Line CONTAINS (“Tasklist” AND “/FO”)

User = [<list of expected administrators to be issuing these commands>]

6b. Mitigation Policies
Ensure application whitelisting is in place to allow only permitted users/administrators the right to run utility binaries such as cmd.exe, powershell.exe, tasklist.exe, and WMIC.exe.

Scenario 7: Indicator Removal on Host: Timestomp (T1070.006)

File creation and modification dates are one of the easiest indicators an incident responder can utilize to identify recent changes to a file system. Threat actors will attempt to modify the file time attributes of their malware to try and blend in with older legitimate activity on the host. This scenario emulates this behavior by using a PowerShell script that uses native PowerShell functionality to change the Creation, LastWriteTime attributes of a file to an older date.

7a. Detection Process
Most often, a PowerShell script will be ran to modify the time stamps of a specified file on the system. Monitoring unfamiliar scripts ran from globally writeable locations is an indicator of possibly malicious activity. If this PowerShell script were run as a one- liner, some items to look for would be the following:

Process Name == Powershell.exe
Command Line CONTAINS (“$” and “Get-Item” AND (CreationTime OR LastWriteTime OR LastAccessTime))

7b. Mitigation Policies
Implementing a File Integrity Monitoring tool would help detect if any modifications to a file were made, and log the actual time rather than relying on the artifact’s time for investigation.

Additionally, ensuring that PowerShell usage and script execution is blocked on end user’s devices where it is not necessary.

Lastly, ensure that the environment’s policy practices Least-Privilege Access to files, folders, and other objects in the environment. Limiting view/write/execute permissions to sensitive files to only those with proper need to know is a good step in ensuring the file system’s integrity.

Scenario 8: Windows Management Instrumentation (T1047)

The last scenario emulates a behavior used by threat actors that helps them launch additional tools and payloads by using Windows Management Instrumentation (WMI). This benefit of this technique is using legitimate native Windows components to handle the execution of secondary files to again create a process chain disruption between the different malware stages.

The scenario executes WMI through a command line to launch an addition tool using the following command:

wmic.exe Process call create "<binary_path> <binary_parameters>"

This buries the new file execution in the process tree of Windows services instead of directly under the initial malware.

wininit.exe –> services.exe –> svchost.exe –> wmiprvse.exe –> <binary>

8a. Detection Process
Developing a baseline of typical binaries that wmiprvse.exe invokes in your environment, then utilizing that baseline to make a detection is a good step in monitoring abnormal Windows Management Instrumentation activity. For example, creating a detection to alert on processes not in a list of known processes being invoked from wmiprvse.exe would identify possible malicious activity.

Monitoring the endpoint for the following would also alert on possible suspicious use:

Process Name == wmic.exe
Command Line CONTAINS (“Process call create” AND (“.dll” OR “.exe”))

8b. Mitigation Policies
Ensure only administrators are authorized to utilize the Windows Management Instrumentation as this tool may be utilized for enumeration, lateral movement, and command execution as seen in this scenario.


In summary, this attack will help evaluate network and endpoint security controls by testing them against a threat actor that brings down their own bespoke malware, lives off the land to discover more about their victim’s environment, and uses many evasive tricks to prevent their detection. With data generated from continuous testing and use of this attack graph, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ Security Optimization Platform, including through our co-managed security service, AttackIQ Vanguard.