Originally used by reputed North Korean hackers to attack the global banking sector, the Ratankba downloader trojan has been repurposed into a PowerShell-based variant that appears to be targeting small, non-financial organizations and individuals with an interest in cryptocurrency, an analysis shows.
In a Jan. 24 blog post, Trend Micro researchers CH Lei, Fyodor Yarochkin, Lenart Bermejo, Philippe Z. Lin, and Razor Huang report that the North Korea-linked APT group Lazarus has been infecting victims with the evolved version of Ratankba since June 2017, via phishing documents with cryptocurrency-themed lures.
The Trend Micro report strongly echoes a white paper published in December 2017 by Proofpoint researchers, which refers to the PowerShell-based variant as PowerRatankba (which technically is two subvariants). “We believe that PowerRatankba was likely developed as a replacement in Lazarus Group’s strictly financially motivated team’s arsenal to fill the hole left by Ratankba’s discovery and very public documentation earlier this year,” the white paper explains.
In that paper, Proofpoint notes that the phishing campaign enticed readers to download malicious documents or visit fake web pages that supposedly provided downloads or updates for cryptocurrency applications. Either way, the victims would end up infected with the reconnaissance tool.
By analyzing servers that Lazarus used as a back-end system for temporarily holding stolen data, Trend Micro determined that 55 percent of this campaign’s victims were located in India and neighboring countries, which “implies that the Lazarus group could be… either collecting intelligence about targets in this region, or is at an early stage of planning,” the researchers state. “They could have also been performing exercises in preparation for an attack against similar targets.”
Among the victims in India are individuals whom Trend Micro believes to likely be employees of three web software development companies. A South Korean web software development company was similarly targeted, the report continues. Meanwhile, the Proofpoint report states that one spear phishing attack specifically targeted at least one executive at a cryptocurrency organization.
Moreover, Trend Micro found that only five percent of victims were using Microsoft Windows Enterprise, which suggests that larger organizations were not targeted.
A technical analysis of PowerRatankba is available in both the Trend Micro and Proofpoint reports.
In related news, South Korea, whose cryptocurrency exchanges and users have been a repeated target of North Korean hackers, announced this week via its Financial Services Commission that as of Jan. 30, it is eliminating anonymous cryptocurrency trading accounts. As reported by CoinDesk, investors will have use the same name on their crypto exchanges as they do on their bank accounts if they wish to continue trading.
Some reports attributed another drop in Bitcoin’s price to South Korea’s regulatory announcement.