Threat Management, Threat Management, Malware

North Korea-linked trojan switches targets from banks to cryptocurrency enthusiasts

Originally used by reputed North Korean hackers to attack the global banking sector, the Ratankba downloader trojan has been repurposed into a PowerShell-based variant that appears to be targeting small, non-financial organizations and individuals with an interest in cryptocurrency, an analysis shows.

In a Jan. 24 blog post, Trend Micro researchers CH Lei, Fyodor Yarochkin, Lenart Bermejo, Philippe Z. Lin, and Razor Huang report that the North Korea-linked APT group Lazarus has been infecting victims with the evolved version of Ratankba since June 2017, via phishing documents with cryptocurrency-themed lures.

The Trend Micro report strongly echoes a white paper published in December 2017 by Proofpoint researchers, which refers to the PowerShell-based variant as PowerRatankba (which technically is two subvariants). "We believe that PowerRatankba was likely developed as a replacement in Lazarus Group's strictly financially motivated team's arsenal to fill the hole left by Ratankba's discovery and very public documentation earlier this year," the white paper explains.

In that paper, Proofpoint notes that the phishing campaign enticed readers to download malicious documents or visit fake web pages that supposedly provided downloads or updates for cryptocurrency applications. Either way, the victims would end up infected with the reconnaissance tool.

By analyzing servers that Lazarus used as a back-end system for temporarily holding stolen data, Trend Micro determined that 55 percent of this campaign's victims were located in India and neighboring countries, which "implies that the Lazarus group could be... either collecting intelligence about targets in this region, or is at an early stage of planning," the researchers state. "They could have also been performing exercises in preparation for an attack against similar targets."

Among the victims in India are individuals whom Trend Micro believes to likely be employees of three web software development companies. A South Korean web software development company was similarly targeted, the report continues. Meanwhile, the Proofpoint report states that one spear phishing attack specifically targeted at least one executive at a cryptocurrency organization.

Moreover, Trend Micro found that only five percent of victims were using Microsoft Windows Enterprise, which suggests that larger organizations were not targeted.

A technical analysis of PowerRatankba is available in both the Trend Micro and Proofpoint reports.

In related news, South Korea, whose cryptocurrency exchanges and users have been a repeated target of North Korean hackers, announced this week via its Financial Services Commission that as of Jan. 30, it is eliminating anonymous cryptocurrency trading accounts. As reported by CoinDesk, investors will have use the same name on their crypto exchanges as they do on their bank accounts if they wish to continue trading.

Some reports attributed another drop in Bitcoin's price to South Korea's regulatory announcement.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.