CyberWire Daily - Job-seeker exposes banking network to Lazurus Group. [Research Saturday]
Episode Date: March 9, 2019Vitali Kremez is a Director of Research at Flashpoint. His team discovered that the recently disclosed intrusion suffered in December 2018 by Chilean interbank network Redbanc involved PowerRatankba, ...a malware toolkit with ties to North Korea-linked group Lazarus. The intrusion represents the latest known example of Lazarus-affiliated tools being deployed within financially motivated activity targeted toward financial institutions in Latin America. The original research can be found here: https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/ Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
We've been tracking Lazar's group or the group known to be operating under the umbrella, I guess, named Lazarus.
That's Vitaly Kremez. He's director of research at Flashpoint.
The research we're discussing today is titled, Disclosure of Chilean Red Bank Intrusion Leads to Lazarus Ties.
intrusion leads to Lazarus ties.
They are known for one of the most sophisticated,
financially motivated hacks we've seen in the past,
linked to, of course, the bank highs and many, many others.
So they're continuously being targeted in various financial institutions,
and they continue to be one of the most formidable groups that are doing that.
So we've been tracking them, and through our tracking,
of course, collaboration with researchers,
everything we can find about this group is very interesting to us, because their primary tracking, of course, collaboration with researchers, everything we can find about this group is very interesting to us because their primary goal, of course,
actually the group has multiple goals, but one of the goals is to bring cash or the money back to the economy of North Korea.
So they're very unique in the way they're positioned and plus they're very agile and
they're very active.
So that always, always heightens our interest related to this group and what
they've been working on.
So while we've been tracking,
we identified one sample called PowerTongueBot,
which is a PowerShell toolkit.
And then while we were looking deeper, of course,
and then the open source reporting came out saying that the Red Bank suffered
a breach and they connected to one of the malware,
which they didn't identify.
We found the traces of Lazarus.
And this, of course, raised lots of interest and lots of attention from our clients and both the industry-wide.
Well, let's walk through what you found here.
This one starts with kind of an interesting initial attack vector.
Can you describe to us what happened?
Sure.
The attack vector is indeed very, very interesting. It's essentially what would be reported, actually, and what's been semi-confirmed by the Red Bank as well,
that the developer who is an employee working for Red Bank, essentially,
was approached by someone on LinkedIn, essentially, on social media, offering a job.
And then once they go into the job interview process, and essentially even had an interview over Skype in Spanish, which is very, very interesting, they establish a trust relationship, which oftentimes really helps the malicious actors or nation state groups to really deliver the payloads where they need to be.
And then through that relationship, the employee received a payload, which essentially was application PDF, which is kind of like binary executable, which had a covert function.
So this was not only kind of a fake application, but it had also a purpose to essentially download and install PowerTang,
which was the reconnaissance tools used by the Lazarus group.
From our experience, you know, like when we look at the groups such as Lazarus or Fin7, they also rely heavily, actually, on building this relationship and using this targeted approach, which allows them to be more successful with their payloads.
Yeah, I mean, it's an interesting one because, you know, like you said, it started with social engineering, but also interesting, I guess, a lesson for us all that I guess this employee was responding to a job offer on his work computer.
Indeed.
There's a lot of lessons to learn here,
lessons to learn how sophisticated and resourceful the group is
and how targeted their approach can be.
I mean, crossing, like you said, into the social engineering realm,
but also how the employee should not probably use the social media while they're at work
or download additional tools while they're employed by any company. So yet again, it highlights both the attack vector as the possible employee who can be
browsing social media and being approached by the groups, but also highlights the possible
strategies, how we can think about network hygiene of applying maybe defenses and looking
deeper into social media relationships or the access employees might have.
Because that's yet again, open the doors for that intrusion.
Yeah. And that social engineering angle. I mean, these folks did their homework to go
through the ruse of a job interview enough that they gained this person's trust and got
them to download the payload.
Indeed. And it's very interesting if you also take into account that the group had North Korean affiliation. So that means that they have more resources and linguistic expertise at their disposal, too. Definitely, that's one of the most, that's what makes this group very, very interesting. social engineer or abilities to essentially have access to sophisticated payment methods
or move money across the chain like they were looking into from the Bank of Bank.
So that's what makes this group unique and so interesting.
So this person thinks that he's applying for a job and he downloads this file that he thinks
is going to be part of that process. What happens next?
They download a file and the file is essentially
called application ppdf.exe. So they execute and then they've been asked to execute essentially
the document, which is essentially not a document, which is an executable. But the executable itself
is essentially, it's a.NET application, which contains the convert function inside of it.
One of the functions is called essentially thread procedure that essentially decodes the base 64 encoded values
and executes essentially and calls the server covertly
while you launch this application.
So it does its own function.
While the application is open,
it actually acts as a downloader of additional malware toolkit.
So yeah, it has a second meaning beyond just the application process.
So without knowing, the employee was running essentially the tool that would download the additional PowerTangwa toolkits.
So that's essentially what it was doing in the background.
To the person who downloaded this and executed the file, this still looked like it was part of a job application process.
Indeed. Whenever you launch this application, it looks like a pretty simple one where essentially
you would list your credentials, you would list what job you're interested, the salary,
desired salary, etc. So it does look like a legitimate application. Actually, they even
mimic the legitimate company called Global Processing Center, LTD, which is, of course,
not the real company used by Lazarus.
But there's a company that exists that provides software related to that.
So they did their reconnaissance and they tried to essentially stay off the radar and
try not to be detected by mimicking legitimate tools and behaviors that they observed in
the past from other employees.
So yes, they did their homework.
This user is looking at this fake job application. behaviors that they observed in the past from other employees. So yes, they did their homework.
This user is looking at this fake job application. And meanwhile, in the background,
this PowerRatankpa payload gets downloaded. And so what is it up to behind the scenes?
What's interesting, in fact, when the report actually came out, they noted that the malware that they discovered, which they didn't say actually publicly, or,
you know, it's left to open to interpretation, but it contains multiple layers of PowerShell code.
And they said the malware they discovered was not detected by any antivirus engines or solutions
they've had. And one of the interesting things, how the criminals, or rather the nation state
actors, they've been bypassing that. They bypassed bypassing in layers of PowerShell encoded code.
So what happened is it's actually downloaded into metering code,
which the only function of this intermediary code would be to translate,
like to decrypt the second stage code using base 64,
region Dale and shot to 56, walking through that,
use the function creep to do essentially decryrypting the PowerTangba and executing
that. And one of the interesting things we've
seen is as the groups
moved towards scripting language malware
more like high language programming
malware, it's actually
defeat certain antivirus
detection. That's been a known fact
specifically with PowerShell
and of course the JavaScript
type of loaders,
because it's so much harder to fingerprint and signature them, and it's so easy to obfuscate
the meaning of them.
And then once, essentially, they decoded that, they unwrapped the whole PowerTango, actually
version B, as detailed by our colleagues at Proofpoint.
And one of the interesting insights about that version that was actually communicated
on HTTPS, which was probably a new invention since the Power Proofpoint report. And we saw clearly that
it resembles Power Tongue by memory and it was starting collecting information about
the machine and sending information elsewhere. So that's what we've been observing and detailed
in our report.
And so what does it seem to be after here?
So here, essentially, what the script is the script is doing a very in-depth, I would say, reconnaissance about the machine where the malware was executed.
So essentially, it collects all the information about what the computer information is.
So it runs the certain scripts and Windows Management Instrumentation script collects the computer name,
collects Windows architecture, languages of the system, service packs, even collects the file shares.
For example, it hunts down for SMB mapped folders, RDPs, of course, checks for if RDPs are open, checks different ports.
So it obtains also the proxy setting, obtains the user information, obtains the processes.
And the idea for the group is to profile machines so well, so they avoid targeting, for example, researchers or anyone else, and they can handpick their targets based on their supposed results.
So, for example, once they have a very good target with the bank information, when they can look at their logs and they can see that this specific machine has multiple file shares available. It makes sense they're inside the bank.
They will start executing and pushing towards additional payload.
And, of course, another thing what the script is doing is, very importantly,
it actually checks the privileges.
It checks what the malware privileges are they operating under.
And do they actually need to, for example, or rather,
can they create a service for persistency?
So they're looking for methods for persistency,
and if they're looking for methods for reconnaissance about the victims.
And the idea for that is once they collect all this information,
send it to the server, they will start moving towards the next stage,
which is likely additional malware toolkit or additional payload
they would use to covertly watch the environment longer and look for
the methods how they can cash out.
And we've seen as a group that they've been pursuing ATM networks with the fast cash
operation, for example, as detailed by US CERT, or they've been actually watching slowly
and looking into how the banks process SWIFT payments, for example, as a big topic for
our discussion we've had in the past.
So the next stage would be for them to watch them silently for maybe a week or two before they start moving deeper.
There's a significant dwell time between how this sophisticated group operates.
And it's lucky that actually Red Bank was able to catch them earlier.
And so how were they caught? How did Red Bank discover that they were in their network?
Actually, this remains to be one of the mysteries. So we don't entirely know
how they've been discovered. In many cases, the group's been discovered at the point of cash out
when the banks identify suspicious transaction, go to the bank network or compromise ATM devices
here. Appears to be actually the bank was able to fully minimize the intrusion, potential intrusion of this attack.
It's not really clear, and we actually don't have evidence to truly know that, but it seems like they were able to do so.
Sometimes, actually, this group has been caught, based on my experience I've seen, on the points of lateral movement.
So, for example, if they start moving too fast across the network,
and the very proficient or effective network hunters catch them on that
level and they stop them and essentially eradicate the attack. That would be their point of weakness.
But here, it's yet to be determined. We don't fully know that as of now.
So, all signs point to this being the Lazarus group. Can you describe to us,
what do we know about Lazarus and why in this case do we
point in their direction? So first of all, Lazarus has so many different names. It's also called
Lazarus Group, Hidden Cobra, Kim Suk-hee. It's an APT group, essentially, Advanced Persistent
Threat Group, which is allegedly comprised of operators from Bureau 121, which was the cyber
warfare division of North Korea's military. And the group has been active since 2009.
And actually, one of the interesting things, as I mentioned earlier,
that the group's not only interested in actually in some potential politically motivated attacks,
but also pursuing and exploiting financial institutions.
It's one of the most formidable in that arena.
What makes them essentially so unique in Tulsa,
they also heavily target
Latin American financial institutions, and they've been doing that in the past, specifically
in Chile, actually. And here, the connection to the Lazarus Group is made through their
PowerTangba toolkit, which is a very unique PowerShell tool that's attributed to them
since 2017. What's interesting is we've seen with the largest group, the Evolution.
So in 2016, they used
the toolkit identified as
Ratangba by researchers,
initially by Trend Micro.
Ratangba was a toolkit they used,
which essentially binary tool compiled
in Windows system, essentially
used and contained very similar
arguments that the PowerTangba has,
but it was more of a static, I guess,
and didn't contain the scripting language advantages that the PowerTongue has.
But we've seen with the public reporting, with the news and the attention that the group achieves
or obtains through researchers and news and media coverage, it's actually adopted the PowerTongbo towards PowerShell. So it has very unique structures, very unique URL patterns, very unique code that's only
unique to the Lazarus group we've seen and no one else as far as we know.
So that's what makes it actually quite interesting for us.
The unique targeting of financial institutions coupled with sophisticated attacks and the
unique technical code overlap.
Essentially, now bloggers, we detail the very unique code overlaps with the power of
Tangbo, which makes the connection apparent and evident from the technical perspective.
And so, what are your recommendations for folks to protect themselves against this?
What steps should they take?
That's a very good question.
So, when this group essentially targets the banks or targets individuals, they usually
have done lots of reconnaissance, or they actually have lots of resources to do that.
And oftentimes, you know, whatever defenses we might have, they were able to employ certain measures or essentially tools to bypass them.
What's interesting here is that, as we discussed earlier, the social engineering component.
here is that, as we discussed earlier, the social engineering component.
So whenever we think about the attacks like Lazarus, we oftentimes think about very sophisticated malware intrusion where we don't know what was the initial
attack factor. Here, we're lucky to have actually reported this
social engineering attack factor. So monitoring employees
who might have access to social media specifically at work, specifically who can
go to LinkedIn or essentially or, you know, for example, Skype and use it for professional network rather than for business purposes.
It might be a possible flag to investigate.
And essentially, one of the interesting things is how you can defend against those attacks is, of course, looking into – I'm a huge fan of the ATT&CK framework.
The ATT&CK framework was based on essentially well before it had on the cyber kill chain.
So looking to the vulnerabilities that the company or might have towards the social engineering trusted relationship aspect.
And essentially testing this, mapping out the ATT&CK as we detailed and we provided in our blog,
reviewing how the company posture might be across this chain.
For example, how likely it is if the employee from bank XYZ gets reached out by somebody who is trying to recruit and essentially deploys a toolkit known to be Lazarus one.
So that's one.
But, of course, on a technical level, on a very tactical one, monitoring for indicators of compromise, deploying ER signatures across the network environment, monitoring for suspicious prodigies, essentially,
looking for the hackers or attackers moving towards the ATM environment, Swift gateways,
looking for unauthorized or irregular activity in those areas.
But here, the added twist is that we should be also looking to social media as the potential
attack factor for that to unfold. So there's lots of lessons to be learned here, actually, and specifically on the
social engineering aspect and how people can be essentially accelerators or essentially
unwitting helpers to this group to install their payload.
Yeah, it's certainly an interesting one. And I suppose it also points to the fact that you can't
underestimate groups like this in terms of the resources that they bring to bear to get at what they want.
Indeed. Indeed.
You can never underestimate Lazarus.
It's really one of the most formidable APT groups we had seen lately in the past.
And we can probably assess with a moderate confidence that they will continuously be one of the most formidable groups in the future.
So, yes, we should never underestimate, especially the actors or the hackers who have so many resources and so much backing from the government.
Yeah, I suppose also there's this educational and training component with your employees to face the reality and say, listen, if you're looking around for other opportunities, well, please do us a favor and do that on your personal machine.
Indeed.
Indeed.
Definitely don't do it on the corporate machine or environment.
And isolate actually those machines from being available to even to social media and
Skype and other.
So yeah, definitely there's education component and coach leadership in that as well that
might actually be the forest catalyst for future, maybe possible positive changes in that area.
Yeah.
Security.
So, since you all published this particular bit of research, there's been some additional information that's come along.
Yes, indeed.
Actually, there's a company that followed up on our intelligence report and our research called Quad Chain Intelligence Operations Team.
They also uncovered potentially that the Pakistani financial service providers and its employee was also targeted by the same malware and the same attack chain, just like the Lazarus one to target Chilean. And actually, they detailed in their blog, essentially, it points out that potentially this group was targeting in two different fronts, two different directions.
While they also were in Chile pursuing red bank intrusion, they also were targeting Pakistani
financial institution, which also kind of makes sense since they've been very active
in both the Asian and Latin American space.
One of the interesting things there also to note that actually Pakistan previously and
the Islamic Bank previously reported suspicious ATM activities or irregularities potentially
with the big heists.
And we couldn't figure out back then what was the essentially the reasoning behind that
or what was the possible explanations of that.
So that report might also fill some of those gaps
related to the cash out. It's still yet unconfirmed, but yet again, there's possible evidence
of the group also operating in Pakistan as a related report. So something to keep track of.
Yeah, another piece of the puzzle. And, you know, nice that you all reach out to each other and
share your finding from organization to organization.
Indeed. To truly defeat those threats, it's important for us to collaborate and share intelligence.
Because they collaborate and share intelligence to target us,
and we should be collaborating and sharing intelligence how to protect against them.
So it's imperative in our industry at this age.
Our thanks to Vitaly Kremez from Flashpoint for joining us.
The research is titled Disclosure of Chilean Red Bank Intrusion Leads to Lazarus Ties.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
More at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Thanks for listening.