The activity of the Lazarus Group (aka Hidden Cobra) surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.
This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind attacks on banks, including the Bangladesh cyber heist.
Now security experts from ESET uncovered a cyber attack against an online casino in Central America and on other targets, in all the assaults hackers used similar hacking tools, including the dreaded KillDisk disk-wiper.
The experts found several backdoors and a simple command line tool that was designed to inject into/kill processes, terminate/reinstall services, and drop/remove files.
Most of the tools were specifically designed to run as a Windows service and require administrator privileges for their execution.
ESET detailed a TCP backdoor dubbed Win64/NukeSped, a console application that is installed in the system as a service.
The backdoor implements a set of 20 commands whose functionality is similar to previously analyzed Lazarus samples.
“Win64/NukeSped.W is a console application that is installed in the system as a service. One of the initial execution steps is dynamically resolving the required DLL names, on the stack:” states the analysis published by ESET.
“Likewise, procedure names of Windows APIs are constructed dynamically. In this particular sample, they are visible in plaintext; in other past samples that we’ve analyzed they were base64-encoded, encrypted or resolved on the stack character by character”
The backdoor allows attackers to gather information on the system, create processes, search for files, drop files on the infected systems, and inject code into processes, including Explorer.
Researchers from ESET also detailed session hijacker, dubbed Win64/NukeSped.AB, that is a console application capable of creating a process as another currently–logged-in user on the target system.
The session hijacker was spotted in the attack against the casino, researchers at ESET believe it is the same malware used in the attacks against Polish banks and Mexican entities.
ESET pointed out that at least two variants of the KillDisk malware were used in the attack that appear not linked to past wiper-based attacks, like the ones that hit Ukraine in December 2015 and December 2016.
“KillDisk is a generic detection name that ESET uses for destructive malware with disk wiping capabilities, such as damaging boot sectors and overwriting then deleting (system) files, followed by a reboot to render the machine unusable.” continues the report.
“Sub-family variants that do have strong code similarities, are sometimes seen separate cyberattacks and thus can help us make connections, as here. Other cases, for example the directed cyberattacks against high-value targets in Ukraine in December 2015 and December 2016, also employed KillDisk malware, but those samples were from different KillDisk sub-families, so are most likely unrelated to these attacks.”
According to ESET, more than 100 machines belonging to the Central American online casino were infected with the two variants of Win32/KillDisk.NBO.
It is still unclear if the attackers used the KillDisk wiper to cover the tracks of an espionage campaign, or if the malicious code was used in an extortion schema or sabotage.
The presence of the KillDisk wipers and various Lazarus-linked malware suggests that the APT group was responsible for the attack.
Experts also found that both variants present many similarities with the ones that previously targeted financial organizations in Latin America.
The attackers also used the Mimikatz tool to extract Windows credentials, a tool designed to recover passwords from major web browsers, malicious droppers and loaders to download and execute their tools onto the victim systems.
The hackers leveraged Radmin 3 and LogMeIn as remote access tools.
“This recent attack against an online casino in Central America suggests that hacking tools from the Lazarus toolset are recompiled with every attack (we didn’t see these exact samples anywhere else).” concluded ESET.
“The attack itself was very complex, consisted of several steps, and involved tens of protected tools that, being stand-alone, would reveal little from their dynamics.”
(Security Affairs – Lazarus APT, North Korea)