A hacking gang known as the Lazarus Group might be responsible for malware attacks that have targeted Polish banks and other financial organizations.
In the beginning of February, the security community first learned about a string of attacks that targeted at least 20 Polish banks.
Analysis into these infections remains ongoing.
Security firm Symantec is just one of the firms currently studying these incidents. You can imagine its Security Response researchers’ surprise, therefore, when they recognized the exploit kit involved in the infections. In fact, they had blocked dozens of attacks launched by that very same perpetrators against targets in Mexico, Uruguay, and Poland since 2014.
Symantec explains more in a blog post:
“The attackers appear to be using compromised websites to redirect visitors to a customized exploit kit, which is preconfigured to only infect visitors from approximately 150 different IP addresses. These IP addresses belong to 104 different organizations located in 31 different countries. The vast majority of these organizations are banks, with a small number of telecoms and internet firms also on the list.”
Symantec’s researchers go on to say they’ve never before come across the exploit kit’s malware sample, which goes by the name “Ratankba.” But they did recognize a Hacktool retrieved by the malware from its command and control (C&C) server.
The tool appears to be the work of Lazarus, a hacking gang which has been targeting organizations since at least 2009. Lazarus is known for preying upon institutions in the United States and South Korea especially. Even so, its notoriety is global in scope. Some evidence even links Lazarus to the Bangladesh Bank heist that occurred back in 2016.
Additional analysis by other security firms corroborates Lazarus’ involvement in the Polish malware campaigns. Researchers at BAE Systems, for example, found that one of the samples used in the attacks appears to belong to the threat actor’s toolkit.
The BAE researchers don’t attribute Lazarus conclusively for the attacks. But they do say they wouldn’t be surprised if the group was behind them. As they observe in an article:
“The technical/forensic evidence to link the Lazarus group actors (who we believe are behind the Bangladesh Bank attack and many others in 2016) to the watering-hole activity is unclear. However, the choice of bank supervisor / state-bank websites would be apt, given their previous targeting of Central Banks for Heists – even when it serves little operational benefit for infiltrating the wider banking sector.”
If Lazarus is responsible for these malware infections, it’s more important than ever for organizations to use the IoCs associated with the Polish malware attacks and update their own defenses. Those indicators are replicated by both Symantec and BAE Systems in their respective write-ups of this threat.