The most notorious hacking group originating from North Korea is called APT38 (Advanced Persistent Threat). They also are known under the alias Lazarus and have been active for quite a while. The APT38 hacking group is known to be working for the North Korean government, and their efforts are concentrated on furthering North Korean interests globally. Most hacking groups who are hired by governments tend to operate in a rather conservative manner and make sure they do not cause unnecessary harm to the target’s system. However, the APT38 group takes no interest in such precautions and can sometimes fully destroy an infiltrated system, which is not of importance to it. Some of the members of the APT38 are even wanted by the United States’ FBI.

Takes over the Command-Line of the System

The NACHOCHEESE threat is a part of the APT38’s hacking tools arsenal, and even though it may not be among their most complex threats, it can prove to be a crucial tool in a campaign. This malware is a command-line hacking tool, which the APT38 group would plant on a compromised system as a second-stage payload. The NACHOCHEESE malware allows the attackers to execute remote commands on the compromised host by taking control over the command line of the system.

APT38 Attempts to Trick Researchers

An interesting feature of the NACHOCHEESE threat is that certain parts of its code are written in very poor Russian. It is likely that the APT38 tried to confuse cybersecurity experts and perhaps mislead them into believing that the NACHOCHEESE backdoor originates from Russia and not North Korea. This is a reoccurring theme when dealing with threats created by the APT38. In past campaigns, malware researchers have discovered lines of their code written in Chinese, Russian and Iranian. Another trick that the APT38 likes to use is to deploy a separate, easily detectable threat on the compromised host. This may help the NACHOCHEESE to remain unnoticed for a longer period.

Since the APT38 is government-funded, their threatening activity will probably continue in the future, and we will likely keep seeing new threats created by this notorious hacking group.