Detection Content: APT38 Malware

We recently published a rule to discover one of the latest tools of the notorious APT38 group more known as Lazarus or Hidden Cobra. And it is time to continue publishing content to discover this sophisticated cybercriminal group. In today’s article, we will give the links on fresh detection content from one of the first participants in the SOC Prime Threat Bounty Program – Lee Archinal. Lee published two rules that detect Bitsran and Bistromath malware used by APT38 in recent attacks.

Bistromath is a full-featured RAT that uses an implant for standard system management, control, and recon. Initial infection is carried out via a malicious executable. Network communications are encrypted via XOR. The discovered Bistromath samples attempt to evade analysis via common sandboxes via multiple artifact checks (presence of specific devices, registry entries, processes, files). The malware is capable of file and process manipulation, data exfiltration, CMD shell use, spying, keylogging, browser hijacking, and more.

Bitsran is a dropper and spreader component for the Hermes 2.1 ransomware radical edition. It is designed to run and spread a malicious payload on the victim’s network. On execution, the malware places a copy of itself into the TEMP location. The malware then enumerates all processes, searching for specific anti-virus processes and attempts to kill these using the command line tool taskkill. После этого Bitsran extracts and executes the final payload. Whilst this additional payload is executing, the initial malware attempts to copy itself to other devices on the network. Two user accounts are hardcoded into the malware and are used to establish connections to the C$ SMB shares on Windows devices.

APT38 Bistromath Malware (Sysmon Behavior) by Lee Archinal:

APT38 Bitsran Malware (Sysmon Behavior) by Lee Archinal:

The rules have translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio, 

EDR: Carbon Black, Elastic Endpoint


Tactics: Execution, Persistence, Privilege Escalation

Techniques: Registry Run Keys / Startup Folder (T1060), Scheduled Task (T1053)