CHEESETRAY

The APT38 (Advanced Persistent Threat) is in the news yet again. This hacking group operates from North Korea and also is known under the alias Lazarus. Their criminal activities have gone so overboard that some of their members are wanted by the United States Federal Bureau of Investigation currently. The APT38 group main motivation seems to be monetary gain as they tend to target large financial institutions and banks worldwide. This hacking group is believed to be sponsored by the North Korean government directly, so it is likely that they are doing Kim Jong-un’s bidding.

Allows the Attackers to Collect Data Over Long Silently

The APT38 hacking group tends to take its time when carrying out an operation. They would often infiltrate their target and spend as long as they can under their radar, all while collecting data about its victim’s system. This helps the attackers decide on how exactly to carry out the campaign so that they can achieve maximum results. The CHEESETRAY tool is a backdoor Trojan, which is a part of the APT38 group’s arsenal and allows its operators to have access to the compromised system long-term. An interesting feature of the CHEESETRAY malware is that is has been set up to have the ability to operate either in active mode or a passive mode. Whether it is running in active or passive mode is determined by the system that the threat has infiltrated.

Active Mode and Passive Mode

An active backdoor would establish a connection with the attackers’ C&C (Command & Control) server and begin sending and receiving data immediately. However, the negative side of this approach is that this is rather noisy, and a legitimate anti-malware application will likely spot the unsafe activity very quickly. A passive backdoor has a much more silent approach. This mode would allow the CHEESETRAY backdoor to stay dormant and likely avoid detection. The threat will stay inactive until it receives what is called a ‘magic packet,’ which is delivered to a certain network port. By utilizing this method, the APT38 group makes sure that there are minimal traces left from its threatening activity.

Capabilities

The CHEESETRAY backdoor Trojan allows its operators to:

• Send remote shell commands.
• Delete files present on the system.
• Observe Remote Desktop sessions.
• Plant its corrupted code in legitimate processes.
• List processes that are running on the system.
• Gather data about the file system, such as file names and folder names.
• Upload files on the infected system.
• Download files from a selected URL.

The activity of the APT38 hacking group will likely not cease any time soon, so we will continue to see them making the headlines in the foreseeable future.