Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

North Korean Hackers Are Back at Targeting Banks

Since February 2020, North Korean state-sponsored hackers have been targeting banks in multiple countries, the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, the Federal Bureau of Investigation (FBI) and U.S. Cyber Command (USCYBERCOM) warn in a joint advisory.

Since February 2020, North Korean state-sponsored hackers have been targeting banks in multiple countries, the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, the Federal Bureau of Investigation (FBI) and U.S. Cyber Command (USCYBERCOM) warn in a joint advisory.

Active since at least 2014, and referred to as BeagleBoyz, the hacking group is responsible for numerous attacks on financial institutions worldwide, such as the $81 million heist from a Bangladeshi bank, the FASTCash ATM cash-out scheme, and attacks on cryptocurrency exchanges.

BeagleBoyz, the advisory notes, represents a subset of HIDDEN COBRA, the cyber-activity the United States associates with North Korea hackers, and is also known as Lazarus, APT38, Bluenoroff, and Stardust Chollima.

Since 2015, the group has been abusing compromised bank-operated SWIFT system endpoints and has attempted to steal an estimated $2 billion to date.

“The BeagleBoyz’s bank robberies pose severe operational risk for individual firms beyond reputational harm and financial loss from theft and recovery costs. […] Equally concerning, these malicious actors have manipulated and, at times, rendered inoperable, critical computer systems at banks and other financial institutions,” the joint advisory reads.

The US notes that the BeagleBoyz often leave anti-forensic tools on the computer networks of victim institutions, that they deployed a wiper against a bank in Chile in 2018, and also warns that the hackers’ ability to “exploit critical banking systems may erode confidence in those systems and presents risks to financial institutions across the world.”

The hackers performed fraudulent ATM withdrawals in multiple countries, including the United States, affecting over 30 countries in total.

Since the FASTCash scheme was publicly detailed in October 2018, the hackers have updated their capability to perform the attacks. They have developed malware for the targeting of switch applications on Windows servers, and also expanded the campaign to target interbank payment processors.

Advertisement. Scroll to continue reading.

Following initial intrusion, the hackers selectively exploit systems within the compromised environment, and employ a variety of methods to run code, maintain access to the compromised systems, leverage privileges, and evade defenses.

Once inside the network of a financial institution, the adversaries look for the SWIFT terminal and for the server where the organization’s payment switch application is stored. They also map out the network to learn about the available systems and move laterally, and perform reconnaissance and administration operations.

The BeagleBoyz use a variety of malware in their attacks, including the CROWDEDFLOUNDER and HOPLIGHT remote access Trojans (RATs), which allow for remote access and data exfiltration, ECCENTRICBANDWAGON for keylogging, and the VIVACIOUSGIFT and ELECTRICFISH network proxy tunneling tools.

In attacks on cryptocurrency exchanges, the hacking group prefers the COPPERHEDGE full-featured RAT, which allows them to run arbitrary commands, perform information harvesting, or exfiltrate data, the U.S. agencies said.

After gaining access to SWIFT terminals and switch application servers, the threat actor monitors the system to gain knowledge of configurations and legitimate use patterns, and then performs illicit transactions that allow for fraudulent ATM cash outs.

The FASTCash malware, which can intercept financial request messages and inject fraudulent messages, is used in these attacks against both UNIX and Windows machines. The Windows variant reveals the use of modified publicly available code for the hashmaps and hook functions and the parsing of ISO 8583 messages.

FASTCash for Windows, the advisory reveals, was designed to inject itself into running software and take control of send and receive functions, to manipulate ISO 8583 messages. Two variants of the malware were observed, supporting ASCII encoding and Extended Binary Coded Decimal Interchange Code (EBCIDC) encoding, respectively.

The U.S. provides full technical details on both FASTCash and FASTCash for Windows, and has included in the joint advisory various recommendations for financial institutions and other organizations looking to keep their systems protected from the BeagleBoyz group.

Related: U.S. Details North Korean Malware Used in Attacks on Defense Organizations

Related: U.S. Cyber Command Shares More North Korean Malware Variants

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.