Kaspersky reveals secrets of most dangerous electronic gang




stolen $ 81 million from the Bank of Bangladesh
Lazarus is one of the most dangerous electronic gangs.
Google + LinkedIn Facebook Twitter
Kaspersky Lab has published the results of its more than a year of investigations into the activity of Lazarus – a dangerous electronic gang allegedly responsible for stealing $ 81 million from the Bangladesh Central Bank in 2016.

During the forensics analysis of some of the evidence left by the cybercriminals in banks in Southeast Asia and Europe, Kaspersky Lab has developed a deep understanding of the gang’s malicious tools and how it operates while attacking financial institutions, casinos and developers of investment companies and institutions that use encrypted currencies throughout the world. The information collected helped to address at least two other gangs whose aim was to steal large sums of money from financial institutions.

In February of 2016, a band of pirates (unknown at the time) attempted to steal $ 851 million and managed to transfer $ 81 million from the Bangladesh Central Bank. It was considered one of the most successful cybercriminals ever.

Other investigations by researchers from various IT security companies, including Kaspersky Lab, have found that the attacks are likely to have been launched by Lazarus, a notorious gang that attacks cybercrime and cybercrime and is responsible for a series of regular and destructive attacks, known for its criminal style Has been attacking manufacturers, media and financial institutions in at least 18 countries around the world since 2009.

Although the Lazarus electronic band remained inactive for several months following the Bangladesh attack, it is still active. The gang was preparing for a new operation aimed at stealing money from other banks. As the preparations for the attack were completed, the gang had already managed to sink its malicious software into the networks of a financial institution in Southeast Asia.

After being discovered and banned by Kaspersky Lab products and based on the results of the investigations, the gang resumed its attacks for a few more months and later decided to change the scenario of the attack by moving to Europe. Their efforts failed when they were discovered and blocked again here through the Kaspersky Lab security program and the Rapid Response Platform for Penetration, Criminal Analysis and Reverse Engineering for Kaspersky Lab researchers.

The formula “Lazarus”

Based on the results of the forensic laboratory analysis of these attacks, Kaspersky Lab researchers were able to decipher the way this gang worked.

Initial Breakthrough: An individual system within a bank is hacked either by using a weak code that can be accessed remotely (ie on the web server) or through a Watering Hole attack by exploiting an undetected security vulnerability in a regular Web site. Once the infected Web site is visited, the victim (the bank employee) quickly becomes infected with malicious software that brings more plugins.
Completion of the victim’s machine malware: The gang then migrates to host environments and publishes the Backdoor intrusion program. This malware allows it to enter and exit whenever you want.
Internal poll: After that, the gang spends days and weeks learning the mechanism of the network and identifying valuable resources . One such resource may be the backup server, where authentication information, a mail server, or a full-domain domain controller are stored with keys for each “available port” in the company, as well as servers that store or process transaction logs.
Spreading malicious software and stealing money: Finally, the gang publishes malicious software capable of bypassing detection and blocking devices installed in the internal security system of financial software and issuing random transactions on behalf of the bank.
Scope of geographical distribution and attribution

Attacks by Kaspersky Lab researchers continued for weeks. However, the attackers managed to work away from radar eyes for months. For example, during an analysis of a security situation in Southeast Asia, experts discovered that pirates had penetrated the bank’s network at least seven months before the day the bank’s security team asked for help from the Emergency Response Team. In fact, the gang had access to the bank’s network even before the day the Bangladesh incident occurred.

According to Kaspersky Lab’s records, malicious software samples of Lazarus’s activity in financial institutions, casinos and software developers for investment companies and institutions using encrypted currencies in Korea, Bangladesh, India, Vietnam, Indonesia, Costa Rica, Malaysia, Poland, Iraq, Ethiopia, Kenya, Nigeria, Uruguay, Gabon, Thailand and several other countries since December December 2015. The latest known samples of Kaspersky Lab were also revealed in March 2017, indicating that the attackers had no intention of suspending their activities.

Although the attackers were careful enough to remove any traces of their presence, there was at least one server that the gang had infiltrated to use for another attack. This server contained a fatal error and another important guide left behind by the gang. In preparation for the process, the server was defined as a center for control and control of malicious software. The connection source that was made on the server identification day was due to a number of VPN servers, indicating a test period for the server control and control. However, there was one short connection to that from a very rare set of IP addresses in North Korea. According to researchers, this may mean several things: that the attackers are connected from the same IP address in North Korea, They pretended to be wrong to mislead their business, and that someone had accidentally visited the link in North Korea.

The Lazarus electronic band is investing heavily in new, diverse patterns of its malware. The gang has been trying for months to devise an array of malicious tools invisible and can not be detected by security platforms, but in parallel to do so, Kaspersky Lab experts can identify the new features that enable them to know how to code code codes developed by the electronic gang, Allowing Kaspersky Lab to continue tracking all new malware attacks. Today, the attackers are relatively calm, which means they are probably preparing to restructure their offensive arsenal.

“We are confident that this gang will be back in the near future,” said Vitaly Kamluk, head of the Pacific Asia Pacific Global Research and Analysis Team. In general, attacks such as those by the Lazarus electronic gang show that any minor error in the identification process could lead to a major security breach that would cause the target company financial losses of hundreds of millions of dollars. We hope that executives in banks, casinos and investment companies around the world will become aware of the name of the Lazarus gang. ”

Kaspersky Lab’s products are successfully detected and successfully tracked by the Lazarus electronic hacker through the names of the following detected formats: HEUR: Trojan-Banker.Win32.Alreay, Trojan-Banker.Win32.Agent.

The company will also soon release important IOC break-ins and other vital data to help companies find evidence of attacks on their networks.

Kaspersky Lab recommends that all companies conduct a thorough survey of their networks to make sure they are free of malicious Lazarus software and, if disclosed, should work to remove infection from their systems and report infection to the law enforcement and emergency response teams in emergencies.


In: A Technology & Gadgets Asked By: [23633 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »