CLEANTOAD
The APT38 (Advanced Persistent Threat) is back in the news with a new hacking tool called CLEANTOAD. This hacking group also is known as Lazarus and operates from North Korea. It is believed that the APT38 group is sponsored by the North Korean government and carries out hacking campaigns on their behalf. This hacking group operates on a very high level, and some of its members are wanted by the FBI.
Table of Contents
Quiet Operations
Most of the APT38's campaigns are motivated financially, and their targets tend to be banks and various other financial institutions. The APT38 group is rather patient when operating and is known to take its time and carry out attacks over long periods. This helps its threatening activity to remain under the radar of their targets for longer. Often, the APT38 group's campaigns deliver several payloads with different capabilities to complete the attack. One of the hacking tools, which sometimes is used as a secondary payload, is the CLEANTOAD malware.
Cleans Traces of Harmful Activity
When keeping an eye on the activity of the APT38 hacking group, cybersecurity experts have noted that the CLEANTOAD threat often is used after the group has deployed another tool called BLINDTOAD. That, however, does not mean that the CLEANTOAD malware is only used in combination with the BLINDTOAD threat necessarily, as the attacks can use it in unison with a variety of hacking tools. The CLEANTOAD malware is utilized in cleaning some of the traces of unsafe activity, which may be left after an operation. This threat injects its corrupted code using an advanced shellcode method into a process called 'notepad.exe.' This method reduces the chances of the APT38 group's activity to be spotted by its victims or an anti-malware tool.
Capabilities
The CLEANTOAD malware is capable of:
- Wipe out Windows Event Logs.
- Alter Windows Registry Keys that were pre-defined.
- Wipe out or overwriting files that have been a part of the malicious campaign.
- Stop or delete Windows Services.
- Load a configuration file that is responsible for setting date and time when the threat is meant to run.
The APT38 hacking group is known to put great work into their threatening operations, which often involve espionage and collecting large sums of cash. They have a very large arsenal of hacking tools, and a threat like the CLEANTOAD malware makes sure that it is able to carry out its campaigns over longer periods, thus collect more sensitive data and cause greater damage to its targets.
