CLEANTOAD
APT38, also known as the Lazarus Group, is one of the threat actors to receive a lot of media attention in the past few years. The group's members are believed to originate from North Korea, and cybersecurity experts suspect that it might be working in close cooperation with the North Korean government. APT38 is certainly not the only cybercrime group to execute their operations from North Korea – the country also is home to APT37, also known as ScarCruft or Group123, a team of hackers that specializes in using highly destructive malware that is employed in attacks against manufacturing, chemicals, automotive, aerospace and healthcare industries.
APT38 Uses CLEANTOAD to Erase Traces of Its Activities
APT38, in particular, focuses on other campaigns – their attacks are almost always motivated financially, and their preferred targets are banks and financial institutions. The Lazarus Group attacks usually take a long time to execute, and the cybercriminals use a wide range of hacking tools to achieve their goals without attracting too much attention – it is not uncommon for APT38 to use multiple payloads that get to play a role in different stages of the attack. One of these payloads is CLEANTOAD, a threat that is often used during the last stages of the criminal operation.
Malware researchers found remnants of the CLEANTOAD on systems that were often infected by the BLINDTOAD loader previously. However, it also is possible that the CLEANTOAD cleaning tool might be used separately alongside other malware. The purpose of this hacking tool is to ensure that there will be as little evidence as possible left behind – it uses an advanced shellcode injection technique to insert the corrupted code into the legitimate 'notepad.exe' process. This helps the malware stay under the radar of anti-virus products, and also will not attract attention if a person reviews the running processes manually. Once injected successfully, the purpose of the CLEANTOAD malware is to:
- Load a local configuration file that tells the malware when it should run (specified date and time).
- Modify pre-defined Windows Registry keys.
- Manipulate Windows Services – stop them from running or delete them entirely.
- Clear all Windows Event Logs.
- Overwrite or delete certain files specified by the configuration file – usually files that were involved in the attack.
CLEANTOAD is another Proof of APT38's Tendency to be Involved in Covert Operations
APT38's attacks are fine-tuned to the smallest detail, and the use of the CLEANTOAD malware is a valid proof of this. The crooks specialize in long-term reconnaissance and data exfiltration attacks, and it is essential for them to stay subtle for as long as possible – what better way to do this than to use a specialized tool like CLEANTOAD to remove all traces of their activities?
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.