Security Experts:

Connect with us

Hi, what are you looking for?



Researchers Link Chilean Interbank Attack to North Korea

A recently disclosed attack on Chilean interbank network Redbanc appears linked to notorious North Korean hacking group Lazarus, Flashpoint reports. 

A recently disclosed attack on Chilean interbank network Redbanc appears linked to notorious North Korean hacking group Lazarus, Flashpoint reports. 

Active since at least 2009, and believed to be backed by the North Korean government, the Lazarus group has attacked targets in various sectors and is said to be the most serious threat against banks. Last year, researchers revealed that code reuse links most North Korean malware to Lazarus

The December 2018 attack on the Chilean interbank network apparently involved PowerRatankba, a malware toolkit already associated with the threat actor. The malicious tool was confirmed to have been installed on Redbanc’s corporate network without triggering antivirus detection.

The malware was apparently delivered after a trusted Redbanc IT professional clicked to apply to a job opening they discovered through social media. A brief interview took place via Skype, and, since the applicant from Redbanc never had doubts about the legitimacy of the open position, application, or interview process, they were tricked into executing the payload.

Flashpoint looked at the publicly referenced samples attributed to the Redbanc intrusion and identified the dropper as related to the Lazarus-linked PowerRatankba. A Microsoft Visual C#/ Basic .NET (v4.0.30319)-compiled executable, the dropper would download a PowerRatankba PowerShell reconnaissance tool. 

The dropper was designed to display a fake job application form to hide the fact that it downloads and executes the malware in the background. The payload, however, was not available during analysis, although it was recovered from a sandbox, Flashpoint’s security researchers reveal

First detailed in December 2017, PowerRatankba is a first stage reconnaissance tool also employed for the deployment of further stage implants. The sample observed in the Chilean interbank attack was using HTTPS for command and control (C&C) communication, unlike previously identified variants that used HTTP.

The malware uses Windows Management Instrumentation (WMI) to obtain information on the system and sends the gathered data (including system details, process lists, username, proxy settings) to the server. It also checks for open file shares and Remote Desktop Protocol (RDP) ports. 

If admin privileges are available, the malware then attempts to download the next stage and register it as a service. It also achieves persistence by setting an autostart. It can execute commands, delete agent, modify and replace ps1 and VBS files, send data to the server and download an executable and run it via PowerShell. 

The analyzed PowerRatankba malware also contains “ConsoleLog” output logic meant to debug the application, to help its developer survey the output, which is stored in a hardcoded location in the Temp folder. 

“Lazarus appears to have been interested in a variety of sectors and targets in the last eighteen months, but it continues to be one of the most formidable APT groups targeting and exploiting financial institutions. The group has reportedly been involved in a string of bank intrusions impacting institutions all over the world, heavily targeting Latin American financial institutions and cryptocurrency exchanges,” Flashpoint notes. 

Related: Was North Korea Wrongly Accused of Ransomware Attacks?

Related: Researchers Say Code Reuse Links North Korea’s Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.