The North Korean hacking group know as Lazarus recently targeted financial institutions in Latin America, Trend Micro security researchers have discovered.
The notorious threat actor, believed to be backed by the North Korean government, is known to have been involved in a series of high-profile attacks, including the devastating attack against Sony Pictures in late 2014 and the $81 million cyber heist from Bangladesh’s account at the New York Federal Reserve Bank.
Also referred to as Hidden Cobra, the group is believed to be the most serious threat against banks and also started targeting individuals last year. Recently, the group was said to have stolen millions from ATMs across Asia and Africa.
Trend Micro now says that a Lazarus backdoor was found on several machines of financial institutions across Latin America. The security firm also reports that the malware was installed on the targeted machines on September 19.
The attack technique resembles a 2017 Lazarus attack that hit targets in Asia. The group used FileTokenBroker.dll in that attack, and the same modularized backdoor appears to have been employed in the recent incident as well.
In their 2018 attacks, the Lazarus group used multiple backdoors, and also employed a complicated technique involving three major components; a loader DLL launched as a service, and encrypted backdoor, and and encrypted configuration file.
Installed as a service, the loader DLL uses different names on different machines, but has the same capabilities on all of them.
Once installed on a target machine, the backdoor can collect files and system information, download files and additional malware; launch/terminate/enumerate processes; update configuration data; delete files; inject code from files to other running process; utilize proxy; open reverse shell; and run in passive mode, where it opens and listens to a port to receive commands through it.
The malware does require a C&C connection for conducting activities.
“The Lazarus group is an experienced organization, methodically evolving their tools and experimenting with strategies to get past an organization’s defenses. The backdoors they are deploying are difficult to detect and a significant threat to the privacy and security of enterprises, allowing attackers to steal information, delete files, install malware, and more,” Trend Micro concludes.