North Korean Malware Attacks ATMs and Banks

Written by

The infamous Lazarus Group is behind new malware discovered targeting ATMs and back-office systems in Indian banks and research centers, according to Kaspersky.

The Russian AV vendor claimed in a new report that it discovered the ATMDtrack malware back in late summer 2018. It is designed to sit on targeted ATMs and effectively skim the details of cards as they are inserted into the machine.

However, digging a little deeper, the researchers found another 180+ new malware samples similar to ATMDtrack but which were not designed to target ATMs.

Collectively, these Dtrack malware tools seem to be focused on information theft and eavesdropping, via functionality such as: keylogging; retrieving browser history; gathering host IP addresses and network info; and listing all running processes and files.

The dropper also contained a remote access trojan (RAT) to give attackers complete control over a victim’s machine.

Kaspersky claimed the Dtrack malware shares similarities with the DarkSeoul campaign of 2013, also linked to North Korea’s Lazarus Group, which disrupted computers at a South Korean bank and three TV stations, as well as countless ATMs.

“We first saw early samples of this malware family in 2013, when it hit Seoul. Now, six years later, we see them in India, attacking financial institutions and research centers,” noted the report. “And once again, we see that this group uses similar tools to perform both financially motivated and pure espionage attacks.”

However, Dtrack attackers would need to take advantage of weak network security policies, weak password policies, and a lack of traffic monitoring. So by addressing these issues and putting in place reputable AV featuring behavior-based tools, as well as regular security training and IT audits, organizations could repel the threat, said Kaspersky.

“The vast amount of Dtrack samples we found demonstrate how Lazarus is one of the most active APT groups, constantly developing and evolving threats in a bid to affect large-scale industries. Their successful execution of Dtrack RAT proves that even when a threat seems to disappear, it can be resurrected in a different guise to attack new targets,” said Kaspersky security researcher, Konstantin Zykov.

“Even if you are a research center, or a financial organization that operates solely in the commercial sector with no government affiliates, you should still consider the possibility of being attacked by a sophisticated threat actor in your threat model and prepare respectively.”

What’s hot on Infosecurity Magazine?