Researchers sink scalpel into Lazarus crew. Yup. Autopsy shows distinct hacker tradecraft

See these contusions? It's where the hackers burrowed out to infect other hosts

csi new york gary sinise  and robert joy as detective and medical examiner on csi:ny ... Photo by: Monty Brinton/CBS
Amazing how quickly we got those lab results, eh? (Let's just hope no lab techs are watching this!) Pic (c): Monty Brinton/CBS

The hacking group blamed for the infamous $81m cyber-heist against the Central Bank of Bangladesh last year has been targeting a far wider range of organisations than previously thought.

The so-called Lazarus cyber-espionage and sabotage crew has also been busy attacking casinos, software developers for investment companies and crypto-currency businesses as well as bank around the world, according to researchers from Kaspersky Lab.

During the forensic analysis of artefacts left by the group in South-East Asian and European banks, Kaspersky Lab has reached a deep understanding of what malicious tools the group uses and how it operates. Knowledge of the hackers' tradecraft has helped to interrupt at least two other operations aimed at stealing a large amount of money from financial institutions.

Modus operandi

The hackers typically start by running watering hole attacks in order to plant malicious code on the victim’s (bank employee) computer. Once a toehold has been established, the hackers attempt to infect other hosts in a targeted institution.

The next stage involves internal reconnaissance, mapping the targeted network. Particular targets include the backup server, where authentication information is stored, mail servers or domain controllers as well as servers storing or processing records of financial transactions.

Finally, the hackers deploy "special malware" capable of bypassing the internal security features of financial software and issuing rogue transactions on behalf of the bank.

During the analysis of the incident in South-East Asia, Kaspersky Lab experts discovered that hackers scanned the targeted bank network seven months prior to the day when the bank’s security team requested incident response.

According to Kaspersky Lab records, malware samples relating to Lazarus group activity appeared in financial institutions, casinos software developers for investment companies and crypto-currency businesses in Korea, Bangladesh, India, Vietnam, Indonesia, Costa Rica, Malaysia, Poland, Iraq, Ethiopia, Kenya, Nigeria, Uruguay, Gabon, Thailand and several other countries since December 2015. Fresh samples were detected only last month, indicating that the hackers have no intention of stopping even though they have been less busy of late.

Lazarus'$ global spread [source: KL blog post screenshot]

The Lazarus group, which has been active since 2009, is also suspected in the infamous Sony Pictures hack. North Korea is prime suspect in the ongoing malfeasance. The Kaspersky team uncovered one isolated example where the hackers connected to a command and control server from a very rare IP address range in North Korea.

This was either an OpSec slip-up by the hackers or someone else’s carefully planned false flag operation (i.e. an elaborate attempt to frame the NORKs), according to Kaspersky Lab.

OpSec fail [source: KL blog post screenshot]

Kaspersky Lab released details of its research during a session during its Security Analyst Summit in St. Maarten, West Indies on Monday. The Russian security software firm has released Indicators of Compromise (IOC) and other data to help organisations search for traces of these attack groups in their corporate networks. ®

An animated video on how Kaspersky Lab researchers investigated the Lazarus attacks can be found below.

Youtube Video


Biting the hand that feeds IT © 1998–2017