Connect with us

Hi, what are you looking for?



North Korean Hackers Behind Online Casino Attack: Report

The infamous North Korean hacking group known as Lazarus is responsible for attacking an online casino in Central America, along with various other targets, ESET says.

The infamous North Korean hacking group known as Lazarus is responsible for attacking an online casino in Central America, along with various other targets, ESET says.

The Lazarus Group has been active since at least 2009 and is said to be associated with a large number of major cyber-attacks, including the $81 million cyber heist from Bangladesh’s account at the New York Federal Reserve Bank.

Said to be the most serious threat against banks, the group has shown increased interest in crypto-currencies and has recently updated its arsenal of tools.

ESET now reports that an attack on an online casino in Central America and assaults on various other targets last year are the doings of this group. The attackers used a similar toolset in all incidents, including the KillDisk wiping tool.

Also referred to as Hidden Cobra, the Lazarus Group is said to be backed by the North Korean government. The hackers use a broad range of custom tools, but also leverage various projects that are either available from GitHub or provided commercially.

In the attack against an online casino in Central America, the hackers used various tools alongside the destructive KillDisk disk-wiper. Almost all of the malicious tools wer
e designed to run as a Windows service and require administrator privileges for that, meaning that the attackers expected such privileges, ESET
points out.

Detected as NukeSped, one of the tools is a TCP backdoor. The malware dynamically resolves the required DLL names during initial execution, and also constructs dynamically the procedure names of Windows APIs. The backdoor listens to a specific port that it ensures is not blocked by the firewall.

Advertisement. Scroll to continue reading.

Featuring support for 20 commands with functionality similar to previously analyzed Lazarus samples, the malware can be used to gather information on the system, search for files, create processes, drop files on the infected systems, and inject into Explorer or other processes.

ESET also stumbled upon a session hijacker, a console application capable of creating a process as another currently–logged-in user on the victim’s system, just as the TCP backdoor can upon receiving a specific command from the attackers.

Discovered on the compromised casino’s network, the malware is related to the session hijacker used in the Polish and Mexican attacks, ESET says.

On said network, the security researchers also found a simple command line tool accepting several switches, which was designed to inject into/kill processes, terminate/reinstall services, and drop/remove files.

Two variants of the KillDisk malware were used in the attack, likely unrelated to the iterations previously used in cyber-attacks against high-value targets in Ukraine in December 2015 and December 2016.

The disk wiper was found on over 100 machines in the casino’s network, either to cover an espionage operation, or to extort the victim or sabotage the systems. The use of KillDisk simultaneously with various Lazarus-linked malware suggests that it was this group of hackers who deployed the disk wiper.

Not only do these variants share many code similarities, but they are almost identical to the KillDisk variant that previously targeted financial organizations in Latin America.

ESET also discove
red a series of format strings that allowed them to attribute the discovered malware samples and attacks to the Lazarus Group, and which represent a relevant, static characteristic of the group’s modus operandi, the researchers say.

As part of the attack against said online casino, the actor also used Mimikatz, which can extract Windows credentials, along with a tool designed to recover passwords from popular web browsers. Although dated December 2014, the tool remains efficient against Chrome (64.0.3282.186), Chromium (67.0.3364.0), Edge (41.16299.15.0) and Internet Explorer (11.0.9600.17843).

The attackers used malicious droppers and loaders to download and execute their tools onto the victim systems. Remote access tools such as Radmin 3 and LogMeIn were also used, to control machines remotely.

“This recent attack against an online casino in Central America suggests that hacking tools from the Lazarus toolset are recompiled with every attack (we didn’t see these exact samples anywhere else). The attack itself was very complex, consisted of several steps, and involved tens of protected tools that, being stand-alone, would reveal little from their dynamics,” ESET says.

Related: New North Korea-linked Cyberattacks Target Financial Institutions

Related: North Korea-linked Lazarus Hackers Update Arsenal of Hacking Tools

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...