Over 100 organizations worldwide have been hit by a major new co-ordinated campaign using compromised websites to infect them with malware linked to the infamous Lazarus Group, according to Symantec.
The source of the attack appears to have been the website of the Polish financial regulator, which was compromised and used to redirect visitors to an exploit kit designed to download malware on only 150 specific IP addresses.
Those 104 target organizations are mainly banks, with a spattering of telecoms and some internet firms located in 31 countries, the security giant claimed.
The campaign has been going since at least October last year, with Symantec blocking 14 attacks against computers in Mexico, 11 against computers in Uruguay, and two against computers in Poland.
Other affected countries apparently include the UK, Colombia, Brazil, Chile, Denmark and Venezuela.
“Analysis of the malware [Downloader.Ratankba] is still underway. Some code strings seen in the malware used shares commonalities with code from malware used by the threat group known as Lazarus,” Symantec explained in a blog post.
“Ratankba was observed contacting eye-watch[.]in for command and control (C&C) communications. Ratankba was then observed downloading a Hacktool. This Hacktool shows distinctive characteristics shared with malware previously associated with Lazarus.”
The Lazarus Group – which is believed to be North Korean in origin – has been pegged for several aggressive attacks on targets in the US and South Korea, most notably a major 2011 DDoS campaign against its near neighbour and the Backdoor.Destover-powered disk-wiping attack on Sony Pictures Entertainment three years later.
It was even linked to the massive $81m heist at the Bangladesh Bank and other attempts to steal money from banks using the global Swift transfer system.
Thus far there’s no evidence that those banks caught in the latest campaign have had any money stolen as a result.