North Korean state sponsored hackers Lazarus, and especially its subgroup Bluenoroff, increase cyber attacks against banks in Latin America Trend Micro cyber security experts discovered that APT38 planted backdoors in financial institutions across the region

The North Korean state sponsored hackers Lazarus, and especially its subgroup Bluenoroff, are increasing cyber attacks against financial organizations in Asia and Latin America. It has been discovered by the Trend Micro cyber security experts. According to the company’s blog, there seems to be a resurgence of activity from the APT38 group (aka Hidden Cobra), and recent events show how their tools and techniques have evolved. Just last week they were found stealing millions from ATMs across Asia and Africa. “We also recently discovered that they successfully planted their backdoor (detected as BKDR_BINLODR.ZNFJ-A) into several machines of financial institutions across Latin America”. These backdoors were installed on the targets’ machines on September 19 2018, based mainly on the service creation time of the loader component.

The cyber attack technique bears some resemblance to a previous 2017 Lazarus aggression against targets in Asia. Which damages the victims could suffer

Trend Micro cyber security specisists saw also that the Bluenoroff cyber attack technique bears some resemblance to a previous 2017 Lazarus attack, analyzed by BAE Systems, against targets in Asia. The use of FileTokenBroker.dll was a key part of the APT38’s attack in 2017, and they seem to have used the same modularized backdoor in the recent incident as well. The analysis of the backdoors used in the September 2018 show that AuditCred.dll/ROptimizer.dll was similarly used. If successfully installed, this backdoor poses quite a threat to its target. It is capable of the following functions: Collect file/folder/drive information; Download files and additional malware; launch/ terminate/ enumerate process; Update configuration data; Delete files: Inject code from files to other running process; Utilize proxy; Open reverse shell; Run in passive mode.

The North Korean Lazarus Group has been acrive since at least 2009 and it was involved in both cyber espionage campaigns and sabotage activities to destroy data and disrupt systems. Since some time, APT38 is working to collect money for Pyongyang

The activity of the North Korean Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on Hidden Cobra consider it highly sophisticated. Security Affairs reminds that APT38 has been active since at least 2009, and that it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFT attacks in 2016, and the Sony Pictures hack. Recently, it was involved in several attacks aimed at stealing millions from ATMs across Asia and Africa. Cyber security experts of Symantec have discovered a malware, tracked as FastCash Trojan, used by the Pyongyang hackers, in a string of cyber attacks against ATMs. The ATP group has been using this malware at least since 2016 to siphon millions of dollars from ATMs.