Lazarus targeting banks

I wanted to read about the Lazarus Group since I received two alarms from the Ariolo SIEM. These two alarms are “Disclosure of Chilean Redbanc Intrusion Leads to Lazarus Ties” and “Lazarus targeting banks in Russia”, which have been developed by the same actor group, Lazarus group, against the same industry, the finance sector. One customer has received these alarms. Therefore, it’s the best way to take the plunge to read deeply about these two alarms.

The target of the first alarm is the Chilean interbank network Redbanc which was attacked with a malware toolkit that was installed on the company’s corporate network without triggering antivirus detection. It’s amazing how the victim was deceived. The lure begins with a job offer posted to a social media network (LinkedIn) where the victim applies to this offer. The attackers contact the victim and an interview conversation occurs. However, the interviewer eventually asks applicants to download and execute a tool (ApplicationPDF.exe) on their computer in order to generate their application form in PDF format. The execution of this tool kicks off the infection process.

The dropper malware is disguised as a legitimate software for job applications

Once the victim’s computer executes the attacker’s tool, the sample communicates the C&C URL (hxxps://ecombox[.]store/tbl_add[.]php?action=agetpsb), and after connecting, it drops a script file (REG_TIME.ps1) used to invoke the PowerShell process. This malware checks if the victim’s user has administrator privileges. If it has admin privileges, the PowerShell attempts to download the next stage and register it as a service. If it has no admin privileges, the malware is on memory till next reboot. However, the malware is useful as reconnaissance tool to deploy more malware if it’s needed.

ThreadProc decodes the Base64-encoded values and executes the PowerShell script

The target of the second alarm is the Russian banking sector. This campaign uses malicious Office documents delivered as ZIP files, along with a benign PDF document called NDA_USA.pdf that contains a StarForce Technologies agreement, which is a Russian software company that provides copy protection software. 

ThreadProc decodes the Base64-encoded values

Actually, there are three steps. Firstly, the ZIP file has two documents: the lure file, which is a benign PDF file, and the malicious file, which is a Word file with macros. Secondly, the malicious macro download a VBS file from Dropbox and this malicious script is executed. Finally, the script VBS download a CAB file from a malicious server, which extract an EXE file, and execute the RAT malware. Once the RAT (Remote Administration Tool) is executed, the attackers send commands from the C&C server to the victim’s computer.

Infection flow of KEymarble malware

I think these are two really interesting alarms to the banking sector. I work for the spanish banking sector from Spain, and these two alarms are against Russian and Chilean banking sector. However, I’ve also seen these alarms in Spain. Therefore, cyber threat intelligence tools along with SIEM appliances are increasingly useful to detect and block this kind of APT attacks. I think these kind of tools should already be mandatory for most banking companies.

Thanks my friends!! Have you ever read about these alarms?