The reputed state-sponsored North Korean hacking group Hidden Cobra has once again been fingered in a malware attack against financial organizations — this time apparently targeting Turkish institutions in a spear phishing campaign in early March.
A new blog post from McAfee reports that the company’s Advanced Threat Research team on Feb. 28 discovered the reemergence of Bankshot, a DLL malware implant affiliated with Hidden Cobra (aka Lazarus Group) that first appeared late last year.
Blog post author and McAfee senior analyst Ryan Sherstobitoff reports that the “aggressive” phishing campaign, executed on Mar. 2 and 3, targeted a major government-controlled financial organization, a second government body involved in finance and trade, and three other large financial institutions. “This campaign suggests the attackers may plan a future heist against these targets by using Bankshot to gather information,” Sherstobitoff proposes.
According to the report, the latest attack is reminiscent of past Lazarus Group campaigns against the SWIFT global financial messaging system, in that they share much of the same code and employ control server strings. The phishing emails included an attached Microsoft Word document containing an exploit for CVE-2018-4878, a recently patched Adobe Flash Player vulnerability that was used in a zero-day campaign against South Korean targets late last year — another hint that Pyongyang is likely responsible for this latest scheme.
In December 2017, the US-CERT issued a malware analysis report describing Bankshot as a series of trojan malware variants used “in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation,” all while faking TLS handshake sessions using legit SSL certificates and masking traffic between the malware and the remote operator.
McAfee says this is the first time a Bankshot variant has been tied directly to financial-related hacking, adding that the RAT grants attackers full capabilities on a victim’s system. “This implant also contains functionality to wipe files and content from the targeted system to erase evidence or perform other destructive actions,” the company blog post adds.
Created on Feb. 26, the Microsoft Word document attached to the phishing emails is disguised to look like an agreement for Bitcoin distribution between a cryptocurrency exchange and an individual based in Paris. (North Korean hacking groups commonly use the topic of cryptocurrency as a lure to entice victims.)
An embedded Flash script within the doc exploits CVE-2018-4878 in order to download and execute Bankshot from the domain falcancoin.io, whose name is similar to the cryptocurrency lending platform Falcon Coin, although there is no legitimate association.
The malware implant samples McAfee researchers observed come disguised as ZIP files and communicate with three control servers, two of which are affiliated with Chinese-language online gambling sites, the blog post continues. McAfee also uncovered two additional documents referencing cryptocurrency that were written in Korean and may have been used on different targets as part of the same campaign.