APT43: a new North Korean espionage group

A new report from cybersecurity firm Mandiant sheds light on a previously unknown threat actor operating on behalf of the North Korean regime and using cybercrime to fund its espionage operations.

The group, dubbed APT43, is a prolific and aggressive actor that has been active since 2018 and has targeted various sectors and regions for intelligence gathering. The group also steals and launders cryptocurrency, using sophisticated techniques to hide its tracks and buy operational infrastructure.

According to the report, APT43’s collection priorities align with the mission of the Reconnaissance General Bureau (RGB), North Korea’s main foreign intelligence service. The group’s espionage targeting is regionally focused on South Korea, Japan, Europe, and the United States, especially in the following sectors: government, business services, and manufacturing, along with education, research, and think tanks focused on geopolitical and nuclear policy. The group shifted focus to health-related verticals throughout the majority of 2021, likely in support of pandemic response efforts.

To compromise its victims, APT43 relies on social engineering and malware, creating numerous spoofed and fraudulent (but convincing) personas for use in phishing emails and social media platforms, and also masquerades as key individuals within their target area (such as diplomacy and defense). The group leverages stolen personally identifiable information (PII) to create accounts and register domains, also creaging cover identities for purchasing operational tooling and infrastructure.

One of the most interesting aspects of APT43’s operations is how they steal and launder cryptocurrency: the group buys hash rental and cloud mining services to provide hash power, which is used to mine cryptocurrency to a wallet selected by the buyer without any blockchain-based association to the buyer’s original payments.

In other words, they use stolen crypto to mine for clean crypto.

This way, APT43 can generate enough funds to buy operational infrastructure in a manner aligned with North Korea’s juche state ideology of self-reliance, therefore reducing fiscal strain on the central government.

The report also reveals that APT43 is able to support espionage efforts with cybercrime, is willing to engage in operations over longer periods of time, and has collaborated with other North Korean espionage operators on multiple operations, underscoring the major role APT43 plays in the regime’s cyber apparatus.

Indicator of Compromise

Malware Family	MD5	SHA1	SHA256
AMADEY	982fc9ded34c854 69269eacblcb4ef26	e205ed81ccb99641dcc 6c2799d32ef0584fa2175	557ff6c87c81a2d2348bd8d667ea8412ala 0a055f5elae91701c2954ca8a3fdb
BENCHMARK	de9a8c26049699d bbd5d334a8566d38d	47a32bc992e5d4613b3 658b025ab913b0679232c	43c2d5122af50363c29879501776d907ea a568fa142d935f6c80e823d18223f5
BIGRAISIN	144bd7fd423edc3 965cb0161a8b82ab2	1087efbd004f65d226bf 20a52fldc0b3e756ff9e	2b78d5228737a38fa940e9ab19601747c68 ed28e488696694648e3d70e53eb5a
BITTERSWEET	cd83a51bec0396f 4a0fd563ca9c929d7	f3b047e6eb3964deb04 7767fad52851c5601483f	fb7fb6dbaf568b568cd5e60ab537a42d59 82949a5e577db53cc707012c7f20e3
BRAVEPRINCE	33df74cbb60920d 63fe677c6f90b63f9	539acd9145befd7e670f e826c248766f46f0d041	94aa827a514d7aa70c404ec326edaaad4b 2b738ffaea5a66c0c9f246738df579
	ebaf83302dc78d9 6d5993830430bd169	bc6cb78e20cb2028514 9d55563f6fdcf4aaafa58	5cbc07895d099ce39a3142025c557b7fac 41d79914535ab7ffc2094809f12a4b
COINTOS	b846fa8bc3a55fa 0490a807186a8ece9	c0c6b99796d732fa534 02ff49fd241612a340229	1855656bfecc359a1816437223c4a133359e 73ecf45acda667610fbe7875ab3c8
COINTOSS.XLM	f92a75b98249fa61 cf62e8b63cb68fae	e5b312155289cdc6a80 a041821fc82d2cca80bcd	d0971d098b0f8cf2187feeed3ce049930f 19ec3379b14lec6a2f2871ble90ff7
DRIVEDOWN	1dcd5afeccfe204 0895686eefa0a9629	40826e2064b59b8b7b3 e514b9ef2c1479ac3b038	07aed9fa864556753de0a664d22854167a 3d898820bc92be46b1977c68b12b34
	5fe4da6a1d82561a1 9711e564adc7589	e79527f7307cldda62c4 2487163616b3e58d5028	8d0bafca8a8e8f3e4544f1822bc4bb08ce 9a3c7192c9a92006bleb500771ab53
EGGHATCH	e8da7fcdf0ca67b 76f9a7967e240d223	b0c2312852d750c4bce b552def6985b8b800d3f3	9dac6553b89645ac8d9e0a3dc877d1264 le6d05fb52e8de6ae5533b2bdf0abc9
FASTFIRE	2bf26702c6ecbd4 6f68138cdcd45c034	1b9a4c0a5615a4f96a04 1d771646cla407b17577	38dld8c3c4ec5ea17c3719af285247cbld8 879c7cf967elbe1197e60d42c01c5
Gh0st RAT	2d330c354c14b39 368876392d56fb18c	alf72c890d0b920f4f4c b2d59df6fa40734de90d	f86d05cld7853c06fc5561f8df19b53506b 724a83bb29c69b39f004a0f7f82d8
GOLDDRAGON	15ec5c7125e6c74f 740d6fc3376c130d	fb09b89803da071b7b7e b23244771c54d979a873	4alc43258fe0e3b75afc4e020b904910c9 4d9ba08fcle3f3a99d188b56675211
GOLDDRAGON POWERSHELL	2a5562deld3e734 d9328alc78b43c2e5	4b0d0ebb0c676efe855 bed796221dd475a39ba40	203ea478fa4d2d5ef513cad8b51617e0c9f 7571bf3a3becf9c267a0d590c6d72
GOLDDROP	0cc0aa5877cec91 09b7a5a0e3a250c72	1d49d462alla00d8ac96 08e49f055961bf79980d	1324acdlf720055e7941b39949116dfe72ce 2e7792e70128f69e228eb48b0821
	2c530adb84111436 6ce6177ce964a5e6	5b69e3e5f4f49cf8b635 a57a8c92e17a4f130d50	873b8fb97b4b0c6d7992f6af1565329578 8526def41f337c651dc64e8e4aeebd
GOLDSMELT	c066b81c4b8b070 3f81f8bc6fb432992	2508f5ff0c28356c0c3f 8e6cae7b750d53495bca	63b4bd01f80d43576c279adf69a5582129 e81cc4adbd03675909581643765ea8
GRAYZONE	1d30dfa5d8f21d14 65409b207115ded6	942fd7b4ef1ccf7032a4 0acad975c7b5905c3c77	ed0161f2a3337af5e27a84bea85fb4abe35 654f5de22bcb8a503d537952ble8a
HANGMAN.V2	21cffaa7f9bf224ce 75e264bfb16dd0d	862abce03f7f5de0c466 fdbd24ad796578eaa110	a605570555620cea6d6be211520525fc95 a30961661780da4cc4bafe9864f394
Invoke-Mimikatz	20bc53deb7b12145 80e9d9efeaa5e9d7	e74b816f1c6d6347cb40 121e0b50dadd0d8flf 97	908777e58161615657663656861c212ac2569 6741ef69411021474158fa2b4cf
JURASSICSHELL	9cdda333432f403 b408b9fe717163861	d80be054a569df5f20 1191dcc4fea0dde9622da5	d2f4bf0caed5a442198fcdc43c83c7b27ac 04f341a72b270c9ed40778aa77afe
	ddae18c65d583b4 la2157d496a4bde61	63e113f0a906af82903 dbfac3e78bdd2d146e738	a4bale6ab678albdf8bc05bea8310d74392 8a4e2c05bad104e6lafdd9cccf9al
LANDMARK	1ffccf6cb3b74d68 df2b899fd33127a5	a61f009e73ae81a18751e 9aee39f8121a3902280	da22d327124a0ee6a93cd07e85f9804fbc 98eda87824ddcf7c8a63d349e87034
LANDMARK.NET	60efecf4e1b5b2c5 80329e9afa05db15	12c508ace6e8aa42be0 2750d759e720b800bf796	034d29fb89a8f68ba714f1868b2181c4cd5 9d4a2604630ef1554a6ccf3fe6d75
LATEOP LATEOP.V2	0f77143ce98d0b9 f69c802789e3b1713	7da4e8b743478370fa41 fe39a45e3ff2ca2194b3	54a8b8c933633c089f03d07cfbd5cafbf7 6a6d7095f2706d6604e739bb9c950f
LOGCABIN	0b558ee89a7bb32 968ef78104f6b9a28	b7fdb5e5b31adfc5ada0 dele05b0c069968e5bce	79c0fe1467dada33e0b097dd772c362296 18b7091baa5f10da083f894192a237
LONEJOGGER	139d2561f5c72fab b099a12c16b8960c	2dd269608dd7f4da171d 1a220fe97347162008c7	2c338055e8245057169f1733846e0490bc 4ael17dldadefe0a3f07a63dc87520
	14a00f517012279a f53118a491253e5c	198040f42103ce3b840d d54bf3490587f141a0bc3	26a98b752fd8e700776f11bad4169a06708 24d5b5b9337f3c8f46fac33bc03e8
METASPLOIT	37e7d679cd4aa78 8ec63f27cb02962ea	7d66clf36b4b48d99046 lec44d626793ade6a8d1	b55e9d65a3130f543360a9c488d35475d4 789ee7a32a4e94d02f33c21a172bcb
PASSMARK	b077ba5af1dfbd4a c523923eab56bcd4	4e93797dd3b383050cf 0ee585aa5b5525efb2380	4a08b78d410bc3d9b78dd63b146767f293 dc3f3f6f8092352d2aa2f589e9c772
PENCILDOWN	04d0856afb1aa916 8377d6aa579c5403	f3b774e92leaad9335b9 c057dd49b918c5dae4a6	e637c86ae20a7f36a0ad43618b00c48f47 b5591a03af3fb689a16c45afa43733
PENCILDOWN. ANDROID	4626ed60dfc8dea f75477bc06bd39be7	a9fflebb548f5bba600d 38e709ff331749fa9971	2365a48f7d6cf6dcc83195f06eallb93c95 5c3a491c60b50ba42788917ba22e2
PENDOWN	768c84100d6e318 1a26fa50261129287	6f4b6938ac8fd9591fc3 99219dbaf4347d8b444b	780e7edbfad5f68051c2039036b00b304d 3f828fdbee85d2d09edbcc6d07ea34
PUMPKINBAR	946f787c129bf469 298aa881fb0843f4	d3b233d6d8b11235929e 4a0cbdb12eefdd47d927	32beeda8cffc2ecc689ea2529194cf80695 5879a334ec68176864d1e6c09800c
	c9d70bf37017260 9da848fa785989939	851ba2182b37bc738042 0a986840e16f73947413	ba3c79dbeca0234fa838ae4c95640911555 6f437372aeeb0737206d71caf4a38
QUASARRAT	0085bc8ce16ef176 43909c4799ead02b	25d94c9ab7635ff330da be96780f330f7f2ba775	a9c404e100bfd2716a8f6bfafc07b0bd617 5bedb047d10b94390c79249258272
SLIMCURL	68ce092f1a3d1985 2ea32db8388de5c7	700acc4e48eae84f80f 4dbaf74bf60b79efd49bd	25c2f4703cbaalff4dbcfcc16a10b29ef35c cc174b71b21de360d898540889f8
SOURDOUGH	7e609404cc258bb e283bea6ddd7af293	6618e25dd49b68f7b2 b266eb2d787e6f05c964bc	502136707a70b768800640224e48c6340 57dc651892113b62522f0dd2fcfle87
SPICYTUNA	0821884168a644f3 c27176a52763acc9	1f6c7c9219f6b6ea30c d481968aela038789be67	e7fae41c0bd8d3d95253bd75dce9901559 9ecc404bd8d737cec305fc3e4dd018
TROIBOMB	18df13900f118158c33	11f646095495d625e7d	98d4471fe549bb3067a
	df904c662e875	71038578cc838a6d5e111	c2f2d9afd50edlbaaddab4lec427083498 9e7f1ade14d
VENOMBITE	107f917a5ddb4d3947 233fbc9d47ddc8	75c516dde8415494c2 88e349d440ce778dede8e3	2d41b04f5d86047dc2353a10595418b0d5 239c22112f36eb9d253b2e8b6eb0d0

MITRE ATT&CK

Initial Access

T1566 Phishing
T1566.001 Spearphishing Attachment
T1566.002 Spearphishing Link

Resource Development

T1583.003 Virtual Private Server
T1584 Compromise Infrastructure
T1588.003 Code Signing Certificates
T1588.004 Digital Certificates
T1608.003 Install Digital Certificate
T1608.005 Link Target

Execution

T1047 Windows Management

Instrumentation

T1053.005 Scheduled Task
T1059 Command and Scripting Interpreter
T1059.00: PowerShell
T1059.003 Windows Command Shell
T1059.005 Visual Basic
T1059.007 JavaScript
T1129 Shared Modules
T1203 Exploitation for Client Execution
T1204.001 Malicious Link
T1204.002 Malicious File
T1569.002 Service Execution

Command and Control

T1071.001 Web Protocols
T1071.004 DNS
T1090.003 Multi-hop Proxy
T1095 Non-Application Layer Protocol
T1102 Web Service
T1102.002 Bidirectional Communication
T1105 Ingress Tool Transfer
T1132.001 Standard Encoding
T1573.002 Asymmetric Cryptography

Discovery

T1007 System Service Discovery
T1010 Application Window Discovery
T1012 Query Registry
T1016 System Network Configuration

Discovery

T1033 System Owner/User Discovery
T1057 Process Discovery
T1082 System Information Discovery
T1083 File and Directory Discovery
T1087 Account Discovery
T1518 Software Discovery
T1614.001 System Language Discovery

Collection

T1056.001 Keylogging
T1113 Screen Capture
T1115 Clipboard Data
T1213 Data from Information Repositories
T1560 Archive Collected Data
T1560.001 Archive via Utility

Persistence

T1137 Office Application Startup
T1505.00 Web Shell
T1543.003 Windows Service
T1547.001: Registry Run Keys / Startup Folder
T1547.004 Winlogon Helper DLL
T1547.009 Shortcut Modification

Defense Evasion

T1027 Obfuscated Files or Information
T1027.001 Binary Padding
T1027.002 Software Packing
T1027.005 Indicator Removal from Tools
T1027.009 Embedded Payloads
T1036 Masquerading
T1036.001 Invalid Code Signature
T1036.007 Double File Extension
T1055 Process Injection
T1055.001 Dynamic-link Library Injection
T1055.003 Thread Execution Hijacking
T1070.004 File Deletion
T1070.006 Timestomp
T1112 Modify Registry
T1134 Access Token Manipulation
T1140 Deobfuscate/Decode Files or

Information

T1218.005 Mshta
T1497 Virtualization/Sandbox Evasion
T1497.001 System Checks
T1548.002: Bypass User Account Control
T1553.002 Code Signing
T1564.003 Hidden Window
T1564.007 VBA Stomping
T1620: Reflective Code Loading
T1622 Debugger Evasion

Impact

T1489 Service Stop
T1529 System Shutdown/Reboot

Exfiltration

T1020 Automated Exfiltration

Credential Access

T1110 Brute Force
T1555.003 Credentials from Web Browsers