The spate of cyberattacks conducted against Polish banking interests earlier this month and tentatively linked to a Russian cybercriminal gang may have in fact been conducted by a different group who attempted dodge blame and frame the Russians with a false flag operation.
A Trend Micro report stated it is connecting the Lazarus group to that attacks that saw the Ratankba ransomware being used, dismissing the idea it was a Russian group behind the attacks. The company pointed to the poor use of the Russian language in the code as one clue pointing saying these were probably placed as part of a false flag operation to defer blame from the real attacker.
The research firm also noted the attacker's targeted institutions outside the financial sector to include telecommunications, management consulting, information technology, insurance, aviation, and education. In addition, the number of victims may have been initially under reported with enterprises in Taiwan, Hong Kong, China and Bahrain affected.
What was a dead giveaway to Trend Micro's researchers on who was responsible was that many of the Russian words found in the code were in fact more likely chosen by someone who is not a natural speaker of that language.
“Based on the odd wording choices (in Russian) we saw used as commands within the malware, we construe that it is just a decoy—a tactic to obfuscate the attackers' trails,” the report stated.
While the words found were used correctly, they departed from what Russian malware programmers typically use, instead reading as if they were lifted from a translation or dictionary program.
“The verbs used were in their infinitive form, however, which is awkward for a command switch. Case in point: the use of “ustanavlivat” (“to install”) instead of the more command-like “ustanovit” (“do install”), which gives the impression that the malware operator lifted it from a dictionary or source where words are typically listed in default form,” the report stated, adding that many times Russians simply use broken English terms instead of those in their own language.
Trend Micro told SC Media that only a handful of endpoints at these various institutions have been infected with Ratankba. Researchers are unsure at this time if the use of this new malware is growing.
“It is too early to tell. However, based on the malware's compile time, they were constructed in Q4 2016 and were immediately used. Its effect and the scale of impact has yet to be fully seen/realized, and we encourage others to report on this incident so that we can grasp the full scope. Rest assured, we will continue to monitor the situation,” Trend Micro researchers told SC Media.
The ransomware is spread through the use of watering holes and Trend Micro believes the cybercriminals used a combination of skill and lady luck to infect their targets.
“We believe that it is a combination of luck (i.e. what can be compromised) and what the attackers identify as sites that will most likely be frequented by their targets. From the looks of it, the attackers have strategically targeted banking/financial sites. This appears to be the case in the reported Polish bank attack, as well as in others we have observed,” the researchers said.