Contopee

The APT38 (Advanced Persistent Threat) group is believed to originate from North Korea, and their names have been connected to several high-level attacks against financial institutions worldwide. One of their biggest hits was against a Bangladesh bank – the criminals reportedly stole over $81 million from the Bangladesh Central Bank, and also attempted to complete a fraudulent transfer worth $1 million from a Vietnamese financial institution. The group is known for their use of long-term campaigns and utilizing malware tools that allow them to cover up their tracks and keep a low profile on compromised systems.

APT38 Bring Contopee to Compromised Bank Computers

One of the latest tools believed to be part of APT38's toolkit is the Contopee backdoor Trojan. Closer inspection of the backdoor's behavior and code revealed many similarities with projects of the Lazarus group, another North Korea-based APT that has been involved in high-profile attacks such as the one against Sony Entertainment. It is likely that APT38 and Lazarus might be sharing code or might share some members.

The purpose of the Contopee Trojan is to establish persistence on the compromised system and then set up a connection to the attacker's control server. After this, it will gather a basic system fingerprint (username, OS version, hardware, software configuration, services, etc.) and transfer the collected data to the attacker's server. After this task is complete, the Contopee backdoor Trojan serves a rather basic but sinister purpose – it enables the attackers to:

• Download, move, delete, upload, and execute files.
• Manage running processes.
• Change the running directory of the Trojan.
• Create new folders.

Despite its limited functionality, the Contopee backdoor can be great to be used when attacking financial institutions – the attackers can use it for reconnaissance, as well as to deploy additional threats or cover their tracks.