Security Experts:

Connect with us

Hi, what are you looking for?



North Korean Hackers Hit Latin American Banks

The North Korean hacking group know as Lazarus recently targeted financial institutions in Latin America, Trend Micro security researchers have discovered. 

The North Korean hacking group know as Lazarus recently targeted financial institutions in Latin America, Trend Micro security researchers have discovered. 

The notorious threat actor, believed to be backed by the North Korean government, is known to have been involved in a series of high-profile attacks, including the devastating attack against Sony Pictures in late 2014 and the $81 million cyber heist from Bangladesh’s account at the New York Federal Reserve Bank.

Also referred to as Hidden Cobra, the group is believed to be the most serious threat against banks and also started targeting individuals last year. Recently, the group was said to have stolen millions from ATMs across Asia and Africa. 

Trend Micro now says that a Lazarus backdoor was found on several machines of financial institutions across Latin America. The security firm also reports that the malware was installed on the targeted machines on September 19. 

The attack technique resembles a 2017 Lazarus attack that hit targets in Asia. The group used FileTokenBroker.dll in that attack, and the same modularized backdoor appears to have been employed in the recent incident as well.

In their 2018 attacks, the Lazarus group used multiple backdoors, and also employed a complicated technique involving three major components; a loader DLL launched as a service, and encrypted backdoor, and and encrypted configuration file. 

Installed as a service, the loader DLL uses different names on different machines, but has the same capabilities on all of them.

Once installed on a target machine, the backdoor can collect files and system information, download files and additional malware; launch/terminate/enumerate processes; update configuration data; delete files; inject code from files to other running process; utilize proxy; open reverse shell; and run in passive mode, where it opens and listens to a port to receive commands through it. 

The malware does require a C&C connection for conducting activities.

“The Lazarus group is an experienced organization, methodically evolving their tools and experimenting with strategies to get past an organization’s defenses. The backdoors they are deploying are difficult to detect and a significant threat to the privacy and security of enterprises, allowing attackers to steal information, delete files, install malware, and more,” Trend Micro concludes. 

Related: U.S. Links North Korean Government to ATM Hacks

Related: U.S. Charges North Korean Over Lazarus Group Hacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


FBI says a North Korea-linked threat group known as Lazarus and APT38 is behind the $100 million Horizon bridge cryptocurrency heist.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...