Lazarus may be behind a new malware campaign targeting banks in 31 countries.
Lazarus may be behind a new malware campaign targeting banks in 31 countries.

A variety of banks and other financial institutions in more than 30 countries have been targeted in a new round of watering hole attacks, perhaps the work of the Lazarus group, according to a blog post from Symantec.

No funds have been detected as yet being stolen from accounts, but the previously unknown malware has been active since at least October 2016, the report stated.

A number of pre-selected targets have been infected with the malware. "The attackers compromised the website to redirect visitors to an exploit kit which attempted to install malware on selected targets," said the Symantec researchers.

The campaign was first detected after a bank in Poland found the previously unseen malware on its system and shared the indicators of compromise (IOCs) with other institutions, which too then realized they'd been infected.

The attack is believed to have originated at the website of the Polish financial sector regulatory body, Polish Financial Supervision Authority.

Indications are that the criminals behind the campaign are exploiting infected websites to redirect victims to a customized exploit kit, which the researchers explained is coded to infect 150 different IP addresses belonging to 104 organizations in 31 countries, predominantly banks, with a few telecoms and internet firms as well.

The malware in this latest campaign (Downloader.Ratankba), a trojan horse that delivers malicious files to infected computers, was previously unknown, although analysis is still underway. However, Symantec recognized that certain code strings in the malware bore similarities to code in malware previously used by Lazarus, the threat group reportedly based in North Korea and believed responsible for the November 2014 wiper attack against Sony Pictures Entertainment.

The Ratankba malware was seen connecting with eye-watch[.]in for command-and-control communications and then downloading a Hacktool. This Hacktool, the researchers stated, bares "distinctive characteristics shared with malware previously associated with Lazarus."

The attack group Lazarus, active since at least 2009, is credited with a number of financial attacks on targets in the U.S. and South Korea, as well as a Bangladesh bank.

"We have a weak link between the malware being used in this attack and Lazarus," Eric Chien, technical director of Symantec Security Response, told SC Media on Monday. "Functionally, the samples recovered so far are functionally distinct. However, they do share code related to how they load APIs," he said 

All malware or applications make use of Windows functionality (APIs) and to make use of this functionality you need to ‘load' these APIs, Chien explained. "They use the same obfuscated means of loading such APIs. You could imagine some actor deciding to copy that means. However, we do not see this method in historic widespread use. There is an additional reuse of code related to a self-deletion routine as well, but this is a very small piece of code."

Interestingly in this case, said Chien, samples serve the same functional purpose to previous Lazarus attacks, but are not the same code. "So, their coding appears to have started from scratch for multiple binaries with the exception of the API loading routine and self-deletion code."

If it is Lazarus, this means they have shifted their techniques and targets, Chien explained.  The difference being that previous banking attacks focused on Asia, and now those behind this latest campaign created a target list of 100 banks all over the world, including in the U.S. Further, Chien said, the attackers are using watering hole techniques, which means they have to infect a website of interest to their victim. "It is one thing to infect any random website on the internet. It's another to find and succeed in infecting multiple specific websites. This would represent an increase in sophistication," Chien said.

All of these items – the increase in sophistication, increase in targets, non-reuse of binaries – would cause one to think that the group is actually not Lazarus, Chien said. "Equally however, Lazarus has historically never been predictable – from the Sony wipe attacks to attempting to steal $1B from the Bank of Bangladesh, which were quite different motivations. Right now, we do not have a hard link to Lazarus, but continue to investigate."

Ilia Kolochenko, CEO of High-Tech Bridge, a web security company, told SC Media on Monday that we should expect that cybercriminals will find more creative and reliable ways to compromise their victims. "Trustworthy websites, such as governmental ones, represent great value for cybercriminals, even if they don't host any sensitive or confidential data," he said.

"In the past, hackers used one-off or garbage websites to host malware, but as corporate users become more educated and vigilant, attackers need to find more reliable avenues to deliver malware and enter corporate networks."

That's why Gartner, and other independent research companies, continuously say that the risk of corporate web applications is very high and seriously underestimated, Kolochenko stated. "Spear phishing and watering hole attacks against high-profile websites will significant grow in the near future."