Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



North Korea-linked Lazarus Hackers Update Arsenal of Hacking Tools

Recent cyberattacks associated with the North Korea-linked Lazarus group have used an evolved backdoor, along with a Remote Controller tool, Trend Micro reports. 

Recent cyberattacks associated with the North Korea-linked Lazarus group have used an evolved backdoor, along with a Remote Controller tool, Trend Micro reports. 

Targeting financial institutions, the campaign employed watering hole attacks and an evolved variant of the Lazarus-linked RATANKBA Trojan, which is capable of delivering multiple payloads, including hacking tools and software targeting banking systems. 

The Lazarus group has been active since at least 2009 and is believed to be backed by the North Korean government. The threat actor has targeted government, military, media, aerospace, financial and manufacturing organizations, and is believed to be the most serious threat against banks

Servers the group used as part of the recently observed campaign for temporarily holding stolen data allowed security researchers to gain insight into attacks and victims. Thus, they discovered that around 55% of the victims were located in India and neighboring countries and that most of them didn’t use enterprise versions of Microsoft software. 

In a December 2017 report, Proofpoint researchers revealed that Lazarus had started targeting individuals, and that a new Windows executable downloader and a new first-stage implant were being used in attacks. 

“Less than 5% of the victims were Microsoft Windows Enterprise users, which means that currently, RATANKBA mostly affects smaller organizations or individual users, not larger organizations. It’s possible that Lazarus is using tools other than RATANKBA to target larger organizations,” Trend Micro says

By looking at the victims’ IP addresses, the security researchers also determined that none can be associated with a large bank or a financial institution. However, victims that are likely employees of web software development companies in India and South Korea appear to have been targeted.

The hackers delivered the RATANKBA malware to their intended targets via malicious Office documents (containing topics related to software development or digital currencies), CHM files, and script downloaders. The goal of the attacks was to install the RATANKBA backdoor onto the victims’ machines to steal user information and execute commands on the system. 

The hackers use a Remote Controller tool to send jobs to compromised endpoints. Through the controller, attackers queue tasks on the main server, and RATANKBA connects to this server to retrieve the tasks and execute it. This means that real-time communication between the backdoor and the attacker isn’t employed. 

The controller provides a graphical UI interface and allows the attacker to both push code to the server and download victim profiles from it. 

The RATANKBA variant used in these attacks was written in Powershell, an evolution from the original variant, which was in PE form. The new malware iteration is more difficult to detect. 

The members of the Lazarus group, Trend Micro says, appear to be native Korean speakers, “or at least have Korean language proficiency that is at the near-native level.” At least one of them is believed to also understand Chinese. The group appears interested in crypto-currencies such as Bitcoin (BTC) and Ant Share (NEO). 

“Given Lazarus’ use of a wide array of tools and techniques in their operations, it’s reasonable to assume that the group will continue to use ever-evolving tactics in their malicious activities. Overall, an organization will need multilayered security strategies, as Lazarus and other similar groups are experienced cybercriminals who employ different strategies to get past organizational defenses,” the researchers conclude. 

Related: Taiwan Bank Heist Linked to North Korean Hackers

Related: U.S. Government Shares Details of FALLCHILL Malware Used by North Korea

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.