A recently disclosed attack on Chilean interbank network Redbanc appears linked to notorious North Korean hacking group Lazarus, Flashpoint reports.
Active since at least 2009, and believed to be backed by the North Korean government, the Lazarus group has attacked targets in various sectors and is said to be the most serious threat against banks. Last year, researchers revealed that code reuse links most North Korean malware to Lazarus.
The December 2018 attack on the Chilean interbank network apparently involved PowerRatankba, a malware toolkit already associated with the threat actor. The malicious tool was confirmed to have been installed on Redbanc’s corporate network without triggering antivirus detection.
The malware was apparently delivered after a trusted Redbanc IT professional clicked to apply to a job opening they discovered through social media. A brief interview took place via Skype, and, since the applicant from Redbanc never had doubts about the legitimacy of the open position, application, or interview process, they were tricked into executing the payload.
Flashpoint looked at the publicly referenced samples attributed to the Redbanc intrusion and identified the dropper as related to the Lazarus-linked PowerRatankba. A Microsoft Visual C#/ Basic .NET (v4.0.30319)-compiled executable, the dropper would download a PowerRatankba PowerShell reconnaissance tool.
The dropper was designed to display a fake job application form to hide the fact that it downloads and executes the malware in the background. The payload, however, was not available during analysis, although it was recovered from a sandbox, Flashpoint’s security researchers reveal.
First detailed in December 2017, PowerRatankba is a first stage reconnaissance tool also employed for the deployment of further stage implants. The sample observed in the Chilean interbank attack was using HTTPS for command and control (C&C) communication, unlike previously identified variants that used HTTP.
The malware uses Windows Management Instrumentation (WMI) to obtain information on the system and sends the gathered data (including system details, process lists, username, proxy settings) to the server. It also checks for open file shares and Remote Desktop Protocol (RDP) ports.
If admin privileges are available, the malware then attempts to download the next stage and register it as a service. It also achieves persistence by setting an autostart. It can execute commands, delete agent, modify and replace ps1 and VBS files, send data to the server and download an executable and run it via PowerShell.
The analyzed PowerRatankba malware also contains “ConsoleLog” output logic meant to debug the application, to help its developer survey the output, which is stored in a hardcoded location in the Temp folder.
“Lazarus appears to have been interested in a variety of sectors and targets in the last eighteen months, but it continues to be one of the most formidable APT groups targeting and exploiting financial institutions. The group has reportedly been involved in a string of bank intrusions impacting institutions all over the world, heavily targeting Latin American financial institutions and cryptocurrency exchanges,” Flashpoint notes.
Related: Was North Korea Wrongly Accused of Ransomware Attacks?
Related: Researchers Say Code Reuse Links North Korea’s Malware
