APT38 DarkSeoul

TTP Tuesday: APT38 - DarkSeoul

Downloaders, packers, and wipers - oh my!

Theme Overview

Our last release looked at APT40 harvesting credentials and exfiltrating potentially interesting documents.

For this week’s TTP Tuesday we are releasing a new APT38 themed chain based on Castov malware used by DarkSeoul (APT 38) to target South Korean financial industry and government targets.


Castov was used extensively by DarkSeoul as a downloader for second stage malware. The initial infection vector, in the case of the 2013 DDoS against the South Korean government, was a trojanized file downloaded from a compromised server.

When executed, Castov downloads and unpacks a second stage Castov payload hidden in a JPG file. Once unpacked, the second stage malware downloads a second packed JPG over the TOR network that contains the final payload - a DDoS malware.

In this week’s chain, we’re simulating the downloader and compression packer functionality seen in Castov.

Introducing CastOff packer

CastOff is a simple tool for downloading files and packing (or unpacking) a payload within a file and is inspired by the high-level behavior of Castov. The application works by appending compressed data to the end of a file.

In this week’s chain, we’re downloading JPG files that contain a Pneuma agent. You’ll be able to simulate http network traffic that downloads a packed JPG (from Operator), and then unpack the file to extract the second stage malware.

As a bonus, CastOff can be used to pack or unpack files of your own. Just use the help menu to get started.

Introducing CastOut wiper

No talk of DarkSeoul is complete without wipers!

Wipers are destructive malware that are intended to erase disk contents or disk structure, such as the Master Boot Record or partition table.

The DarkSeoul Windows wiper, discussed in the SANS paper Tracing the Lineage of DarkSeoul, is an MBR wiper that wipes all attached and removable disks from B - Z. On each disk the MBR is overwritten with the string PRINCIPES or HASTATI, and minor variations on them.

This week we’re releasing CastOut, a simple MBR wiper, to simulate the DarkSeoul wiper. CastOut will overwrite the MBR on the infected host’s primary physical disk with the string PRINCIPES. Once complete, the system is rebooted into an unrecoverable state.

WARNING: CastOut will overwrites the MBR of your system’s primary disk. The disk cannot be booted - assume complete loss of data.

Thanks for reading! We’ll be back next week with more examples of APT38 tradecraft!

Watch a demonstration: APT38 DarkSeoul

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: privateducky
Alex: khyberspache
Kris: Xanthonus
Octavia: VVX7
Sam: wasupwithuman

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator


Stage CastOff downloader
Download PneumaEX packed JPG
Unpack PneumaEX JPG
Download CastOut MBR wiper packed JPG
Unpack CastOut MBR wiper
Spawn elevated Pneuma via UAC prompt
Spawn elevated CastOut MBR wiper via UAC prompt