CHEESETRAY
APT38 (also known as Lazarus Group) is an Advanced Persistent Threat hacking group that works in close cooperation with the North Korean government. Most of their attacks appear to be motivated financially, and it is not uncommon to see them target the networks of major banks and financial institutions. Since the goal of their attacks is to generate profits, the hackers may often spend months collecting information about their target's infrastructure before proceeding to drop the major payloads that will help them execute their devious deeds.
The CHEESETRAY Backdoor Either Uses Passive or Active Mode
One of the tools that have been seen on some of the computers compromised by the APT38 hacking group is called CHEESETRAY, and it appears to be a feature-rich backdoor whose purpose is to give its operators long-term access to the hacked computer's tools and services.
The CHEESETRAY backdoor is a rather interesting project, and it seems to be one of the group's primary tools in their current campaigns. The backdoor is able to function in active or passive mode – the mode is determined based on the computer it has infiltrated. But what is the difference between these two modes?
- Active backdoors – They communicate with a remote Command & Control server by transmitting information about the compromised host and other data. They maintain an 'active' network connection that is often easy to spot with the use of sophisticated network packet analysis software.
- Passive backdoors – These backdoors are meant to stay dormant, and they usually function by waiting for a special message (also called a 'magic packet') that is sent to a specific network port. Backdoors functioning in passive mode are difficult to spot via traditional network analysis methods since the footprint they leave behind is minimal.
Regardless of the method used, the CHEESETRAY backdoor packs the same features that enable its operator to perform the following tasks:
- List running processes.
- Receive information about the file system (folder names, file names, etc.).
- Monitor Remote Desktop sessions.
- Upload files to the compromised host or download files from a specified URL.
- Delete files.
- Send remote shell commands.
- Inject the backdoor's code into a legitimate process.
APT38 is one of the most sophisticated threat actors active in the cybercrime scene at the moment, and they impress malware experts with the innovative features they implement in their threatening tools continuously.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.