The North Korean hacking group know as Lazarus recently targeted financial institutions in Latin America, Trend Micro security researchers have discovered.
The notorious threat actor, believed to be backed by the North Korean government, is known to have been involved in a series of high-profile attacks, including the devastating attack against Sony Pictures in late 2014 and the $81 million cyber heist from Bangladesh’s account at the New York Federal Reserve Bank.
Also referred to as Hidden Cobra, the group is believed to be the most serious threat against banks and also started targeting individuals last year. Recently, the group was said to have stolen millions from ATMs across Asia and Africa.
Trend Micro now says that a Lazarus backdoor was found on several machines of financial institutions across Latin America. The security firm also reports that the malware was installed on the targeted machines on September 19.
The attack technique resembles a 2017 Lazarus attack that hit targets in Asia. The group used FileTokenBroker.dll in that attack, and the same modularized backdoor appears to have been employed in the recent incident as well.
In their 2018 attacks, the Lazarus group used multiple backdoors, and also employed a complicated technique involving three major components; a loader DLL launched as a service, and encrypted backdoor, and and encrypted configuration file.
Installed as a service, the loader DLL uses different names on different machines, but has the same capabilities on all of them.
Once installed on a target machine, the backdoor can collect files and system information, download files and additional malware; launch/terminate/enumerate processes; update configuration data; delete files; inject code from files to other running process; utilize proxy; open reverse shell; and run in passive mode, where it opens and listens to a port to receive commands through it.
The malware does require a C&C connection for conducting activities.
“The Lazarus group is an experienced organization, methodically evolving their tools and experimenting with strategies to get past an organization’s defenses. The backdoors they are deploying are difficult to detect and a significant threat to the privacy and security of enterprises, allowing attackers to steal information, delete files, install malware, and more,” Trend Micro concludes.
More from Ionut Arghire
- Software Supply Chain Security Firm Lineaje Raises $7 Million
- Vulnerability Provided Access to Toyota Supplier Management Network
- Linux Variant of Cl0p Ransomware Emerges
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Florida Hospital Cancels Procedures, Diverts Patients Following Cyberattack
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
Latest News
- Germany Appoints Central Bank IT Chief to Head Cybersecurity
- OpenSSL Ships Patch for High-Severity Flaws
- Software Supply Chain Security Firm Lineaje Raises $7 Million
- ICS Cybersecurity Firm Opscura Launches With $9.4 Million in Series A Funding
- Vulnerability Provided Access to Toyota Supplier Management Network
- Patch Released for Actively Exploited GoAnywhere MFT Zero-Day
- Linux Variant of Cl0p Ransomware Emerges
- VMware Says No Evidence of Zero-Day Exploitation in ESXiArgs Ransomware Attacks
