APT

North Korea-Linked Lazarus APT suspected for online Casino assault

The North Korea-linked APT group known as Lazarus made the headlines again for attacking an online casino in Central America and other targets.

The activity of the Lazarus Group (aka Hidden Cobra) surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.  Security researchers discovered that North Korean Lazarus APT group was behind attacks on banks, including the Bangladesh cyber heist.

Now security experts from ESET uncovered a cyber attack against an online casino in Central America and on other targets, in all the assaults hackers used similar hacking tools, including the dreaded KillDisk disk-wiper.

The experts found several backdoors and a simple command line tool that was designed to inject into/kill processes, terminate/reinstall services, and drop/remove files.

Most of the tools were specifically designed to run as a Windows service and require administrator privileges for their execution.

ESET detailed a TCP backdoor dubbed Win64/NukeSped, a console application that is installed in the system as a service.

The backdoor implements a set of 20 commands whose functionality is similar to previously analyzed Lazarus samples.

“Win64/NukeSped.W is a console application that is installed in the system as a service. One of the initial execution steps is dynamically resolving the required DLL names, on the stack:” states the analysis published by ESET.

“Likewise, procedure names of Windows APIs are constructed dynamically. In this particular sample, they are visible in plaintext; in other past samples that we’ve analyzed they were base64-encoded, encrypted or resolved on the stack character by character”

The backdoor allows attackers to gather information on the system, create processes, search for files, drop files on the infected systems, and inject code into processes, including Explorer.

Researchers from ESET also detailed session hijacker, dubbed Win64/NukeSped.AB, that is a console application capable of creating a process as another currently–logged-in user on the target system.

The session hijacker was spotted in the attack against the casino, researchers at ESET believe it is the same malware used in the attacks against Polish banks and Mexican entities.

ESET pointed out that at least two variants of the KillDisk malware were used in the attack that appear not linked to past wiper-based attacks, like the ones that hit Ukraine in December 2015 and December 2016.

“KillDisk is a generic detection name that ESET uses for destructive malware with disk wiping capabilities, such as damaging boot sectors and overwriting then deleting (system) files, followed by a reboot to render the machine unusable.” continues the report.

“Sub-family variants that do have strong code similarities, are sometimes seen separate cyberattacks and thus can help us make connections, as here. Other cases, for example the directed cyberattacks against high-value targets in Ukraine in December 2015 and December 2016, also employed KillDisk malware, but those samples were from different KillDisk sub-families, so are most likely unrelated to these attacks.”

According to ESET, more than 100 machines belonging to the Central American online casino were infected with the two variants of Win32/KillDisk.NBO.

It is still unclear if the attackers used the KillDisk wiper to cover the tracks of an espionage campaign, or if the malicious code was used in an extortion schema or sabotage.

The presence of the KillDisk wipers and various Lazarus-linked malware suggests that the APT group was responsible for the attack.

Experts also found that both variants present many similarities with the ones that previously targeted financial organizations in Latin America.

The attackers also used the Mimikatz tool to extract Windows credentials, a tool designed to recover passwords from major web browsers, malicious droppers and loaders to download and execute their tools onto the victim systems.

The hackers leveraged Radmin 3 and LogMeIn as remote access tools.

“This recent attack against an online casino in Central America suggests that hacking tools from the Lazarus toolset are recompiled with every attack (we didn’t see these exact samples anywhere else).” concluded ESET.

“The attack itself was very complex, consisted of several steps, and involved tens of protected tools that, being stand-alone, would reveal little from their dynamics.” 

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Lazarus APT, North Korea)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

2 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

9 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

20 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.