Malware samples recovered from watering hole attacks that have recently targeted banks across the globe contain false flags that fraudulently suggest Russian actors are behind the campaign, even though the most likely culprit remains the North Korea-linked APT Lazarus Group, BAE Systems reported in a Monday blog post.
BAE's analysis corresponds to industry reports warning that attackers have been compromising websites commonly visited by banking companies in order to redirect these financial institutions to an exploit kit that attempts to install malware.
According to BAE, one DLL file that was identified as botnet malware – capable of contacting and transferring files to the attackers' command-and-control server – used transliterated Russian terminology as its backdoor commands. However, these Russian terms contained various verb tense errors and other awkward mistakes that seemed to indicate that the words were derived via online translation.
"Due to such inconsistencies, we conclude that the Russian language is likely used as a decoy tactic, in order to spoof the malware's country of origin," BAE concludes in its blog post.
Researchers found additional false-flag evidence in another malware sample filled with poorly translated words – this one a malicious implant used to compromise at least one of the watering hole websites, apparently by exploiting a flaw in JBoss. In its blog post, BAE notes that one code fragment in the malicious script contained the Russian word "chainik" and the English word "dummy."
"As such, it is obvious that the word 'dummy' has been translated into 'chainik.' However, the word 'chainik' in Russian slang (with the literal meaning of 'a kettle') is used to describe an unsophisticated person, a newbie; while, the word 'dummy' in the exploit code is used to mean a 'placeholder' or an 'empty' data structure/argument," the blog post explains.