New North Korean Hidden Cobra / Lazarus Campaign Targets Financial Institutions in Turkey
Hidden Cobra, also known as the Lazarus Group from North Korea, is now targeting the Turkish financial system with a new and ‘aggressive’ operation that resembles earlier attacks against the global SWIFT financial network.
An analysis published by senior analyst of major campaigns, Ryan Sherstobitoff, says McAfee believes this operation is intended to gain access to specific Turkish financial organizations via targeted spear-phishing, using a weaponized Word document containing an embedded Flash exploit. The Flash vulnerability only surfaced at the end of January 2018, but is thought to have been exploited by North Korean actors since mid-November 2017. It was patched by Adobe within a week; but any computer that has not yet updated Flash to the latest version will remain vulnerable.
McAfee’s report on the campaign says that one government-controlled financial organization, a government organization involved in finance and trade, and three large financial organizations are victims of the attack — which occurred on March 2 and 3. In this attack, the Flash exploit drops the Bankshot implant, a RAT that gives the attacker full capability on a victim’s system.
US-CERT issued a malware analysis report (MAR) on Bankshot (PDF) in December 2017. It describes it as malware used by the North Korean government, whose cyber activity is conducted by actors it calls Hidden Cobra. McAfee says the variant it has analyzed “is 99% similar to the documented Bankshot variants from 2017.”
In the spear-phishing campaign, the Bankshot implant was associated with a Word document with the filename Agreement.docx. It masquerades as an agreement template for Bitcoin distribution. Once activated, malicious DLLs are downloaded from falcancoin.io — a lookalike domain name to the legitimate cryptocurrency-lending platform Falcon Coin.
The DLLs communicate with three control servers (the URLs are hardcoded in the implants’ code), two of them Chinese-language online gambling sites. Based on the response received from the control server, the malware can carry out a wide range of malicious tasks centered on gathering system data and controlling system processes. It also contains two methods of file deletion capable of erasing evidence of presence and other destructive actions. After every action, the malware sends a response to the control server indicating whether the action was successful.
Hidden Cobra has been linked to several attacks against financial institutions. “This implant has been connected to a major Korean bank attack and is also known as Trojan Manuscript,” writes Sherstobitoff. That variant contained the capability to search for hosts related to the SWIFT network and the same control server strings as the variant we found targeting the Turkish financial sector.”
North Korean actors are credited with the 2015/2016 attacks on the SWIFT network. No evidence was found to suggest that this version is designed to conduct financial transactions; “rather,” writes Sherstobitoff, “it is a channel into the victim’s environment, in which further stages of implants can be deployed for financial reconnaissance.”
McAfee is confident that it has uncovered a new Hidden Cobra (ie, North Korean government) reconnaissance campaign against Turkish financial institutions. In February, the Winter Olympic Games held in South Korea were hit by cyber-attacks dubbed Olympic Destroyer. Many commentators assumed the attacks came from North Korea — an assumption supported by indicators within the malware.
By mid-February, Recorded Future warned against hasty attribution for Olympic Destroyer, despite the presence of code fragments previously used by North Korean actors. “The co-occurrence of code overlap in the malware,” wrote Recorded Future, “may be indicative of a false flag operation, attempting to dilute evidence and confuse researchers.”
More recently, Kaspersky Lab concluded that despite the presence of a unique fingerprint tying Olympic Destroyer to Lazarus (Hidden Cobra), there is other evidence suggesting the involvement of the Russian group known as Sofacy or APT28. One possible scenario is that the Russian hackers attempted to frame Lazarus for the attack after the North Korean group tried to pin one of its own campaigns on Russian actors.
Given the relative ease and increasing frequency of so-called ‘false flag’ cyber-attacks, SecurityWeek asked McAfee how certain it is that Hidden Cobra is the group behind the Turkish attacks. “McAfee takes attribution very seriously,” relied Ryan Sherstobitoff. “As such, McAfee Advanced Threat Research analysis and conclusions are based on multiple indicators. While the private sector can rarely claim 100% confidence in attack attribution without access to the same resources possessed by government and law enforcement agencies, we can say that the code and target similarities between the malicious files uncovered in this campaign and earlier attacks publicly attributed to Hidden Cobra by the United States Government, are very strong indicators of the acting group.”
“We have found,” concludes McAfee, “what may be an early data-gathering stage for future possible heists from financial organizations in Turkey (and possibly other countries).” It warns that the attack has a high chance of success against victims with an unpatched version of Flash. “Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal.”