Experts link attack on Chilean interbank network Redbanc NK Lazarus APT

Pierluigi Paganini January 16, 2019

Researchers from Flashpoint linked the recently disclosed attack on Chilean interbank network Redbanc to the North Korean APT group Lazarus.

Security experts at Flashpoint linked the recently disclosed attack on the Chilean interbank network to the dreaded Lazarus APT group.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFTattacks in 2016, and the Sony Pictures hack.

At the end of 2018, the group was involved in several attacks aimed at stealing millions from ATMs across Asia and Africa. Security experts from Symantec discovered a malware, tracked as FastCash Trojan, that was used by the Lazarus APT Group, in a string of attacks against ATMs.

Active since at least 2009, and believed to be backed by the North Korean government, the Lazarus group has attacked targets in various sectors and is said to be the most serious threat against banks. Last year, researchers revealed that code reuse links most North Korean malware to Lazarus

The attack against the Chilean interbank network is has happened in December 2018, threat actors seem to have used PowerRatankba,
a PowerShell-based malware variant that closely resembles the original Ratankba implant. The experts pointed out that that the Redbanc corporate network was infected with a version of the PowerRatankba that was not detected by anti-malware.

It is interesting the way attackers delivered the malware, according to
Flashpoint a trusted Redbanc IT professional clicked to apply to a job opening found on social media. The person that published the job opening then contacted the employee via Skype for an interview and tricked him into installing the malicious code.

“According to recent reporting, the intrusion occurred due to malware delivered via a trusted Redbanc IT professional who clicked to apply to a job opening found through social media.” reported Flashpoint .

“The individual who appeared to have posted the open position then contacted the applicant from Redbanc to arrange a brief interview, which occurred shortly thereafter in Spanish via Skype. Having never expressed any doubts about the legitimacy of the open position, application, or interview process, the applicant was ultimately and unwittingly tricked into executing the payload. “

The dropper used to deliver the malware is related to the PowerRatankba, a Microsoft Visual C#/ Basic .NET (v4.0.30319)-compiled executable associated with Lazarus APT. The dropper was used to download a PowerRatankba PowerShell reconnaissance tool. 

The dropper displays a fake job application form while downloads and executes PowerRatankba in the background.

chilean interbank redbanc intrusion

The payload, however, was not available during analysis, although it was recovered from a sandbox, Flashpoint’s security researchers reveal.

The PowerRatankba sample used in the Chilean interbank attack, differently from other variants, communicates to the C&C server on HTTPS.

The malware uses Windows Management Instrumentation (WMI) to gather information on the infected system (i.e. process lists, username, proxy settings), it also checks for open file shares and Remote Desktop Protocol (RDP) ports.

“The malware leverages Windows Management Instrumentation (WMI) to obtain the victim IP by parsing Win32_NetworkAdapterConfiguration for the IP and MAC address.” continues the analysis.

“It is notable that for the victim ID, the malware leverages the MAC address with Base64-encoding, which is passed to action=”What” and encoded one more time via the Base64 algorithm.”

If PowerRatankba has admin privileges, it attempts to download the next stage from hxxps://ecombox[.]store/tbl_add[.]php as “c:\windows\temp\REG_WINDEF.ps1.

This latter code is registered as a service through the “sc create” command as,“ the malware gain persistence by setting an autostart.

The malware supports several commands, including delete agent, modify and replace ps1 and VBS files, send data to the server and download an executable and run it via PowerShell. 

The PowerRatankba variant analyzed by the experts includes the “ConsoleLog” output logic to debug the application, it could help Lazarus developers to survey the output. 

“The group has reportedly been involved in a string of bank intrusions impacting institutions all over the world, heavily targeting Latin American financial institutions and cryptocurrency exchanges.” concludes

“Monitoring and reviewing the incidents related to Lazarus and dissecting the group’s attacks and toolkits across the ATT&CK framework may assist with mitigating the exposure to this threat. Additionally, Lazarus attacks appear to reportedly rely on social media and trusted relationships, which may elevate their abilities to execute and install their payloads.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Lazarus, APT)

[adrotate banner=”5″]

[adrotate banner="13"]

you might also like

leave a comment