Name: Happy Hunting | Unmasking APT38 - North Korea’s Financial Cyber Heist Experts
Start: 2025-01-16T19:56:00Z
End: 2025-01-16T19:56:09.000Z
Location: BrightTALK

Intel 471 empowers enterprises, government agencies, and other organizations to win the cybersecurity war using near-real-time insights into the latest malicious actors, relationships, threat patterns, and imminent attacks relevant to their businesses.

Our TITAN platform collects, interprets, structures, and validates human-led, automation-enhanced results. Clients across the globe leverage this threat intelligence with our proprietary framework to map the criminal underground, zero in on key activity, and align their resources and reporting to business requirements. Intel 471 serves as a trusted advisor to security teams, offering ongoing trend analysis and supporting your use of the platform. Learn more at https://intel471.com/

Un elemento clave para desarrollar un programa de threat-hunting eficiente es alinearlo con inteligencia de malware. Con un conocimiento avanzado sobre las actuales campañas de malware y su contexto, además de inteligencia obtenida a través de la monitorización automática de malware a través de emulación y extracción de artefactos, las tareas de threat-hunting se pueden elevar para capturar el comportamiento de las familias de malware más relevantes.

La detección de malware basada en indicadores de compromiso presenta retos, como pueda ser la corta ventana de tiempo en que estos indicadores son relevantes. Threat-hunting basado en comportamiento complementa y eleva la calidad de las defensas que se pueden implementar para detectar adversarios a través de sus tácticas, técnicas y procedimientos (TTPs). Estos TTPs incluyen la manera en la que determinado malware se instala o corre en los sistemas infectados, y cómo estos comportamientos se pueden observar en otros adversarios diferentes que persiguen un objetivo similar.

Descubre cómo potenciar tu programa de CTI y mejorar tus defensas partiendo desde IOCs a implementar threat-hunting basado en comportamiento. Únete a Jorge Rodríguez, director de malware research en Intel 471 en nuestro siguiente webinar el día [date].

Aprende a desarrollar reglas de threat-hunting para capturar:

- Campañas de spam
- Sugerencias de defensa contra operaciones de malware como SocGholish y Gootloader
- El uso de herramientas legítimas de acceso remoto de manera maliciosa

Threat Hunting: Inmersión en Malware

In the last two years, cybercriminals and ransomware gangs have ramped up attacks on the hospitality and travel sectors.  

In this webinar, you’ll learn how one cybercrime and fraud operation is targeting hotel guest payment card data in hotel booking systems. They’re not just abusing Booking.com’s brand in phishing emails, but using compromised hotel partner Booking.com accounts to send messages to guests in the official Booking.com app and emails requesting “mandatory payment” before their upcoming stay. 

How are actors accessing partner accounts? In the past, these cybercriminals have used information-stealing malware installed on hotel workstations to steal hotel employee credentials and perpetrate fraud against upcoming guests. Now, to avoid detection by antivirus, threat actors have eschewed malware and deployed a sophisticated phishing kit to bypass multi-factor authentication (MFA) and evade detection by antivirus. 

What you’ll learn: 
- How the threat actors are targeting the travel and hospitality sector  
- Sophisticated social engineering techniques used to steal employee credentials 
- What methods and infrastructure the actors use to evade detection and cover their tracks
- How CTI enables teams to discover and mitigate this threat

To learn the tactics, techniques and procedures (TTPs) these cybercriminals use to defraud hotel guests, and how to protect your guests, brand, and reputation, join us for this fascinating and informative webinar on September 10, 2024.

Guests Check-in, Cybercriminals Cash-out: Protecting Payment Data from Phishing Attacks

Join Intel 471 for our webinar “Decoding the Ransomware Playbook: Threat Hunting Opportunities to Thwart Bassterlord’s Techniques” to discover how your teams can use intelligence-driven threat hunting to identify and stop top-tier ransomware threats early in the attack lifecycle — before adversaries deploy ransomware or exfiltrate data. 

The prominent LockBit affiliate Bassterrlord’s release of three intrusion manuals between 2021 and early 2024 provided budding cybercriminals a how-to guide for assembling and operating the resources to gain access to organizations and conduct ransomware attacks. Prior to the U.S. indictment and unmasking of Bassterlord in February 2024, Intel 471 obtained secret and unredacted versions of the manuals for its in-depth CTI analysis. 

While LockBit activity has subsided, many of the techniques described in the Bassterlord manuals remain in use today and were widely adopted by high profile ransomware-as-a-service (RaaS) programs, including LockBit, ALPHV, Black Basta, Akira, Play, REvil and others. These groups and their methods continue to pose a significant threat to businesses in the retail and hospitality sectors, and all critical sectors where data can be leveraged for extortion.

Join Intel 471 Senior Intel Analyst, Carlos Borges, and Intel 471 Senior Threat Hunt Analyst, Scott Poley, at 12pm EST on Tuesday, February 25, 2025 to explore insights into cybercriminal behaviors from an adversary who operated in major RaaS programs and learned from experienced actors. You’ll learn how to identify threat hunting opportunities using tactics, techniques, and procedures (TTPs) observed in ransomware attacks and how to evaluate the adversary’s intentions, capabilities, and objectives throughout the attack chain to build effective behavioral threat hunts and improve visibility across your environment.

Decoding the Ransomware Playbook: Threat Hunting Opportunities to Thwart Bassterlord’s Techniques

Decoding the Ransomware Playbook -- upload

RansomHub is now the top Ransomware-as-a-Service (RaaS) affiliate program since it hit the ransomware scene in February 2024. RansomHub claimed responsibility for 15% of over 1,000 ransomware breaches that Intel 471 tracked in Q3 2024 — well ahead of Play, LockBit, Meow Team, Akira and Hunters International. 

But what’s behind RansomHub’s rapid ascent? RansomHub was one of several emerging RaaS programs that boosted activity in the aftermath of law enforcement dismantling LockBit and ALPHV (aka BlackCat). What tools, talent and techniques did RansomHub adopt from other ransom groups to scale up its operations so quickly? While it built custom ransomware that can target Linux, VMware ESXi hypervisor and Windows, its RaaS management panel also exhibited similarities to a now-defunct ransomware operation.  

Join Steve Martin, an Intel 471 Intelligence Fusion Specialist, at our next webinar on 14 November 2024, where he’ll canvas RansomHub’s origin story, the affiliate program’s rise, and what the future holds for this group.

Lifting the Covers on RansomHub's Rise

NIS2 is arguably the most important cybersecurity regulation in Europe which aims to boost cyber resilience across all critical sectors. EU cybersecurity agency ENISA plays a critical role in NIS2 implementation and operations, providing NIS2 technical implementation guidance to entities, and serves as the secretariat for EU-CyCLONe — the network of national authorities that respond to major cross-border cyber incidents. 

Join Intel 471 on 5 February for our webinar "NIS2: Achieving Digital Resilience Within Europe's Critical Sectors" — a fireside chat with Marnix Dekker, deputy head of ENISA's new Resilience of Critical Sectors (RoCS) unit. This is a must-see webinar for all entities in scope of NIS2. Hosted by Intel 471 content manager Liam Tung, you’ll hear Dekker’s insights on how ENISA and the EU will help improve cybersecurity, resilience, and preparedness for today’s evolving threat environment. 

Topics covered include:
- How the EU can tackle strategic threats, like Russia, 5G supply risks, and subsea cables
- Challenges around supervision and making meaningful progress in resilience, plus a “NIS2-light” approach for smaller entities 
- Partnerships with national authorities and information-sharing to combat converged state-based and cybercrime threats 
- ENISA’s upcoming technical guidelines that will provide an EU-wide baseline for NIS2 compliance 
- How the EU and ENISA will help improve supply chain security and vulnerability management

NIS2: Achieving Digital Resilience Within Europe’s Critical Sectors

Learn how AsyncRat, a versatile remote access tool, performs malicious campaigns and how identify and track them with cyber threat hunting. 

AsyncRAT is a versatile remote access tool (RAT) often used in malicious campaigns, offering features like keylogging and remote desktop control, making it a common choice for cybercriminals. In this episode of "Happy Hunting", Lee Archinal breaks down the behaviors of AsyncRAT and shows how threat hunters can identify patterns—such as batch file executions in temp directories.

Watch now to learn how you can track these techniques using the Execution Bat Script to Unpack Payload Hunt Package on the 471HUNTER Platform.

Get your free 471HUNTER Community Account to access this hunt package and more: https://intel471.com/lp/hunter-community-access

Already have a Community Account? Jump straight to the hunt package: https://hunter.cyborgsecurity.io/research/hunt-package/606cd1ac-622d-4645-9553-2b04df7407d8

Happy Hunting | Using AsyncRat To Identify Malware Patterns

Learn about the cybercriminal group Black Basta and see how they use discovery tactics to find and target victims.  

In the latest episode of the "Happy Hunting" series, Lee Archinal dives into Black Basta, a cybercriminal group that's been causing serious trouble across various industries like healthcare, manufacturing, and critical infrastructure. What makes Black Basta especially dangerous is how they use discovery tactics to scope out target environments, giving them the edge they need to launch precise and devastating attacks.

Join our community with a free Community Account on the HUNTER471 Platform. This account grants you access to our Hunt Package Collection, including the "Excessive Windows Discovery and Execution Processes - Potential Malware Installation" Hunt Package featured in this episode, along with a wide array of resources to sharpen your threat hunting expertise.

Get your HUNTER471 account today: https://intel471.com/hunter-community-platform

Already have a Community Account? Jump straight to the Excessive Windows Discovery and Execution Processes - Potential Malware Installation Hunt Package and follow along with Lee: https://hunter.cyborgsecurity.io/research/hunt-package/a37ff816-53b3-4af3-a63c-3f87a3eab908

Happy Hunting | A Deep Dive Into Black Basta

Rapid digitalization and demand for online services have rendered Know-Your-Customer (KYC) identity verification processes a must for financial institutions and beyond to protect against fraud. However, KYC fraud is becoming an increasingly popular topic in the cyber underground. While traditional KYC bypass methods persist, many actors are turning to artificial intelligence (AI) to enhance their tactics, techniques and procedures (TTPs) and successfully commit fraudulent activity. This leaves security practitioners battling a dynamic threat landscape.

Join Intel Fusion Specialist Katie Sutton as she provides an introduction to KYC fraud and walks through current trends, giving you the awareness you need to effectively bolster your cyber defenses. She will also examine the ever-changing impact that AI technology is having on the process.

The webinar will discuss:

- Key terms and concepts relating to KYC regulations
- Why someone would want to bypass KYC
- Current TTPs Intel 471 is observing in the cyber underground

Are They Who They Say They Are? An Introduction to Know-Your-Customer Fraud

As supply chains have increased in complexity and interconnectivity, so too have operational demands for digital solutions to monitor and manage them more efficiently. In tandem with these developments, cybercriminal actors have pursued and scaled new methods to monetize fraud and disruption across supply chains.

Join Intel 471’s Peter Marzalik for a webinar on leveraging cyber threat intelligence (CTI) to mitigate supply chain risks. From tracking opportunistic fraudsters manipulating reshipping streams to engaging top-tier operators compromising and ransoming critical supply chain infrastructure providers, this webinar will provide an actionable approach for effectively protecting your supply chain. 

Intel 471’s How-To series helps teams develop their resilience against cyber threats through sharing expertise and best practice drawn from our years of CTI experience and exclusive insights into the cyber underground.

Crashing the Party: How to Leverage CTI to Mitigate Supply Chain Risk

So-called “pink slime” news sites are filling an information void left by a U.S. local news industry in rapid decline. What can be done to control the integrity of online news in this environment? And how much of a threat to democracy is pink slime journalism in an election year? 

While pink slime is a colloquial term for a meat by-product, in the media and communications arena it refers to content produced by political organizations on websites that bear the visual hallmarks of a local news outlet, while containing misleading stories to further their interests. 

As both campaigns in the 2024 U.S. Presidential race zero in on swing states, Intel 471 analysts sought to answer these questions by surveying the pink slime landscape on both sides of the political fence. Our assessment? Pink slime journalism is a difficult challenge to address. While the U.S. government combats foreign influence campaigns, it is less clear what can be done to control disinformation produced by U.S.-funded entities.

Join Intel 471 Senior Intelligence Analyst Ashley Jess on 23 October for her webinar U.S. Elections 2024: What To Do About Pink Slime Overtaking Local News? to explore a corner of the media landscape that has used hybrid tactics to serve select interests, including:

- Concealing domain registration ownership details
- Paid Facebook, Instagram, and online advertising
- Unsolicited print newspaper mail outs 
- Producing biased, misleading or inaccurate news about candidates
- Omitting coverage of foreign influence campaigns
- Producing “filler” content to emulate legitimate local news publications

U.S. Elections 2024: What To Do About Pink Slime Overtaking Local News?

Threat actors have the banking industry in their sights. The lucrative outcomes that a successful attack on an organization can provide and the industry’s growing digitization have created the perfect storm of motivation and opportunity for threat actors. For ransomware alone, Intel 471 observed a 125% increase in the number of victims from 2022-2023. When the threat looms so close and stakes are so high, those within the industry must ensure they are updating their knowledge of the cyber threat landscape they face. 

Join Intel 471’s Ashley Bather as she provides a synopsis of the top five threats to the banking industry. The webinar will include:

- A snapshot of critical threats to the sector
- Real world examples of attacks
- TTPs used by attackers

On the Money: The Top Cyber Threats to the Banking Industry

Malware attacks continue to increase in velocity and sophistication. No industry is safe from being targeted by the threat actors driving them. Invaluable insights and details about a cyber incident can be gleaned through malware analysis but it can be an intimidating topic, especially to those new to the field. But fear not! Intel 471 are here to share their experience and expertise in their upcoming webinar. Join us to understand the basics of malware, with a focus on the details that assist in advancing an investigation, rather than understanding every technical aspect of the malware.

Malware 101: Power up your investigations; Protect your organization.

Happy Hunting

Learn how APT38, North Korea's Financial Cyber Heist Experts, steals millions--and how to use cyber threat intelligence to stay ahead of these attackers.

APT38, known for stealing millions in high-profile financial attacks like the $81M Bangladesh Bank heist, is no ordinary adversary. This state-sponsored group excels at using zero-days and firewall evasion techniques to bypass detection and target financial institutions worldwide.

In the latest "Happy Hunting" episode, Lee Archinal explores APT38’s sophisticated methods and explains why threat intelligence is critical to staying ahead of these attackers. Learn how to hunt for their tactics using the Windows Firewall Rule Added via CMD/PowerShell Hunt Package on the 471HUNTER Platform.

Get a free 471HUNTER Community Account to access this hunt package and more: https://intel471.com/hunter-community-platform

Happy Hunting | Unmasking APT38 - North Korea’s Financial Cyber Heist Experts

APT 38

Threat Hunting

Threat Intelligence

Cyber Threats

Cyber Crime

Cyber Security

APT38

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Happy Hunting | Unmasking APT38 - North Korea’s Financial Cyber Heist Experts

Presented by

About this talk

Intel 471