Experts at BAE Systems found false flags in the Lazarus malware

Security experts who analyzed the malware used in the attacks against the Polish banks discovered false flags in the Lazarus malicious code.

A few weeks ago, security experts reported that the systems of several Polish banks were targeted by hackers. The systems were infected with a malware after their staff visited the site of the Polish Financial Supervision Authority.

Both security firms BAE Systems and Symantec started their investigation on the attacks. According to Symantec, the threat actor behind the attack is the same that targeted financial organizations in 31 countries since at least October 2016.

According to Symantec, the Polish website used to target the Polish banks delivered a strain of malware known to be part of the toolkit of the Lazarus Group.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

Malware researchers at Symantec have identified roughly 150 targeted IPs associated with more than 100 organizations across 31 countries. The attackers focused their activities on the banks, but the list of victims also includes ISPs and telecom operators.

Now further revelations emerge from the investigation conducted by security firms, the threat actors unsuccessfully attempted to trick researchers into attributing their operation to Russian-speaking hackers.

The researchers believe that the threat actors have conducted false flag operations to deceive the investigator and increase the difficulty in attributing the attack.

Experts at BAE Systems have dissected half a dozen malware samples and discovered several Russian words in the source code.

“Once the bot has established communication with the remote C&C, it uses several transliterated Russian words to either indicate the state of its communication or issue backdoor commands, such as:

Word	State/Backdoor Command
“Nachalo”	start communication session
“ustanavlivat”	handshake state
“poluchit”	receive data
“pereslat”	send data
“derzhat”	maintain communication session
“vykhodit”	exit communication session

A deeper analysis conducted by the researchers revealed that the commands were likely the result of an online translation.

“In spite of some ‘Russian’ words being used, it is evident that the malware author is not a native Russian speaker.” states the blog post published by BaeSystems.
“Of our previous examples, five of the commands were likely produced by an online translation. Below we provide the examples and the correct analogues for reference:”

Word	Type of error	Correct analogue
“ustanavlivat”	omitted sign at the end, verb tense error	“ustanovit'” or “ustanoviti”
“poluchit”	omitted sign at the end	“poluchit'” or “poluchiti”
“pereslat”	omitted sign at the end	“pereslat'” or “pereslati”
“derzhat”	omitted sign at the end	“derzhat'” or “derzhati”
“vykhodit”	omitted sign at the end, verb tense error	“vyiti”

Several words are written as they are pronounced.

“Through reverse-engineering, we can see the use of many Russian words that have been translated incorrectly. In some cases, the inaccurate translations have transformed the meaning of the words entirely. This strongly implies that the authors of this attack are not native Russian speakers and, as such, the use of Russian words appears to be a ‘false flag’,” continues the analysis.

The threat actor is clearly switching tactic and evolving its modus operandi to avoid detection and make hard the attribution of the attacks.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Lazarus, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]