We also provide a brief timeline of events related to the malicious activity and describe the various delivery methods that Lazarus Group utilized to infect victims with PowerRatankba (Fig. We believe that PowerRatankba was likely developed as a replacement in Lazarus Group’s strictly financially motivated team’s arsenal to fill the hole left by Ratankba’s discovery and very public documentation earlier this year. In this research we detail a new implant dubbed PowerRatankba, a PowerShell-based malware variant that closely resembles the original Ratankba implant. Previously, they have employed DDoS botnets, wiper malware to temporarily incapacitate a company, and a sophisticated set of malware targeting the SWIFT banking system to steal millions of dollars. The Lazarus Group’s arsenal of tools, implants, and exploits is extensive and under constant development. The group has increasingly focused on financially motivated attacks and appears to be capitalizing on both the increasing interest and skyrocketing prices for cryptocurrencies. The Lazarus Group is widely accepted as being a North Korean state-sponsored threat actor by numerous organizations in the information security industry, law enforcement agencies, and intelligence agencies around the world. The Maattack in South Korea, the Sony Pictures hack in 2014, the successful theft of $81 million from the Bangladesh Bank in 2014, and perhaps most famously this year’s WannaCry ransomware attack and its global impact have all been attributed to the group. With activity dating at least to 2009, the Lazarus Group has consistently ranked among the most disruptive, successful, and far-reaching nation-state sponsored actors. Moreover, the timing of the point-of-sale related attacks near the holiday shopping season makes the potential financial losses considerable. We also discovered what appears to be the first publicly documented instance of a nation-state targeting a point-of-sale related framework for the theft of credit card data in a related set of attacks. Victims of interest are then infected with additional malware including Gh0st RAT to steal credentials for cryptocurrency wallets and exchanges, enabling the Lazarus Group to conduct lucrative operations stealing Bitcoin and other cryptocurrencies. Proofpoint researchers have uncovered a number of multistage attacks that use cryptocurrency-related lures to infect victims with sophisticated backdoors and reconnaissance malware that we attribute to the Lazarus Group.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |