Security Experts:

Connect with us

Hi, what are you looking for?



Researchers Link Chilean Interbank Attack to North Korea

A recently disclosed attack on Chilean interbank network Redbanc appears linked to notorious North Korean hacking group Lazarus, Flashpoint reports. 

A recently disclosed attack on Chilean interbank network Redbanc appears linked to notorious North Korean hacking group Lazarus, Flashpoint reports. 

Active since at least 2009, and believed to be backed by the North Korean government, the Lazarus group has attacked targets in various sectors and is said to be the most serious threat against banks. Last year, researchers revealed that code reuse links most North Korean malware to Lazarus

The December 2018 attack on the Chilean interbank network apparently involved PowerRatankba, a malware toolkit already associated with the threat actor. The malicious tool was confirmed to have been installed on Redbanc’s corporate network without triggering antivirus detection.

The malware was apparently delivered after a trusted Redbanc IT professional clicked to apply to a job opening they discovered through social media. A brief interview took place via Skype, and, since the applicant from Redbanc never had doubts about the legitimacy of the open position, application, or interview process, they were tricked into executing the payload.

Flashpoint looked at the publicly referenced samples attributed to the Redbanc intrusion and identified the dropper as related to the Lazarus-linked PowerRatankba. A Microsoft Visual C#/ Basic .NET (v4.0.30319)-compiled executable, the dropper would download a PowerRatankba PowerShell reconnaissance tool. 

The dropper was designed to display a fake job application form to hide the fact that it downloads and executes the malware in the background. The payload, however, was not available during analysis, although it was recovered from a sandbox, Flashpoint’s security researchers reveal

First detailed in December 2017, PowerRatankba is a first stage reconnaissance tool also employed for the deployment of further stage implants. The sample observed in the Chilean interbank attack was using HTTPS for command and control (C&C) communication, unlike previously identified variants that used HTTP.

The malware uses Windows Management Instrumentation (WMI) to obtain information on the system and sends the gathered data (including system details, process lists, username, proxy settings) to the server. It also checks for open file shares and Remote Desktop Protocol (RDP) ports. 

If admin privileges are available, the malware then attempts to download the next stage and register it as a service. It also achieves persistence by setting an autostart. It can execute commands, delete agent, modify and replace ps1 and VBS files, send data to the server and download an executable and run it via PowerShell. 

The analyzed PowerRatankba malware also contains “ConsoleLog” output logic meant to debug the application, to help its developer survey the output, which is stored in a hardcoded location in the Temp folder. 

“Lazarus appears to have been interested in a variety of sectors and targets in the last eighteen months, but it continues to be one of the most formidable APT groups targeting and exploiting financial institutions. The group has reportedly been involved in a string of bank intrusions impacting institutions all over the world, heavily targeting Latin American financial institutions and cryptocurrency exchanges,” Flashpoint notes. 

Related: Was North Korea Wrongly Accused of Ransomware Attacks?

Related: Researchers Say Code Reuse Links North Korea’s Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


FBI says a North Korea-linked threat group known as Lazarus and APT38 is behind the $100 million Horizon bridge cryptocurrency heist.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack