Security experts have lifted the lid on the notorious Lazarus Group pegged for the Bangladesh Bank attack, linking it to countless watering hole attacks on financial and crypto-currency firms round the world and, most interestingly, suggesting a strong connection to North Korea.
Lazarus is operating on a massive scale, with over 150 malware samples tied to the group, Kaspersky Lab claimed in a detailed new analysis.
In fact, it suggests the group “is operating a factory of malware, which produces new samples via multiple independent conveyors”, and is constantly looking to adapt and morph its tools, code and algorithms.
“Those rare cases when they are caught with the same tools are operational mistakes, because the group seems to be so large that one part doesn’t always know what the other is doing,” claimed the vendor.
“This level of sophistication is something that is not generally found in the cybercriminal world. It’s something that requires strict organization and control at all stages of operation. That’s why we think that Lazarus is not just another APT actor.”
While Lazarus is better known for cyber-espionage and sabotage, a la Sony Pictures Entertainment, its subgroup – which Kaspersky Lab has dubbed “Bluenoroff” – is focused on financial gain.
As well as watering hole attacks against Polish banks reported earlier this year, Bluenoroff has launched similar raids in multiple countries including Russia, India, Norway, Nigeria, Australia and Mexico.
Its biggest scalp, however, was the $80m raid on Bangladesh Bank.
Kaspersky Lab revealed the group spends a long time reverse engineering software to find ways into systems: exploiting bugs, bruteforcing passwords for admin staff, using keyloggers and elevating privileges where necessary.
Swift was not at fault, the researchers argue, as this activity is extremely difficult to spot precisely because it mimics legitimate engineer activity; such as starting and stopping services, patching software, and modifying databases.
“One of Bluenoroff’s favorite strategies is to silently integrate into running processes without breaking them. From the code we’ve seen, it looks as if they are not exactly looking for a hit and run solution when it comes to money theft,” Kaspersky Lab argued.
“Their solutions are aimed at invisible theft without leaving a trace. Of course, attempts to move around millions of USD can hardly remain unnoticed, but we believe that their malware might be secretly deployed now in many other places and it isn’t triggering any serious alarms because it’s much more quiet.”
Perhaps most interestingly, the researchers analyzed a C&C server used by the group in Europe and found a connection to an IP range in North Korea.
It was found because a Monero mining software installation on the same server caused the system to freeze, meaning server logs were not cleaned.
“This is the first time we have seen a direct link between Bluenoroff and North Korea,” said the researchers.
“Now, is it North Korea behind all the Bluenoroff attacks after all? As researchers, we prefer to provide facts rather than speculations. Still, seeing IP in the C2 log, does make North Korea a key part of the Lazarus Bluenoroff equation.”