Threat Management, Malware

Malware targeting banks contains apparent false flags designed to frame Russians

Malware samples recovered from watering hole attacks that have recently targeted banks across the globe contain false flags that fraudulently suggest Russian actors are behind the campaign, even though the most likely culprit remains the North Korea-linked APT Lazarus GroupBAE Systems reported in a Monday blog post.

BAE's analysis corresponds to industry reports warning that attackers have been compromising websites commonly visited by banking companies in order to redirect these financial institutions to an exploit kit that attempts to install malware.

According to BAE, one DLL file that was identified as botnet malware – capable of contacting and transferring files to the attackers' command-and-control server – used transliterated Russian terminology as its backdoor commands. However, these Russian terms contained various verb tense errors and other awkward mistakes that seemed to indicate that the words were derived via online translation.

"Due to such inconsistencies, we conclude that the Russian language is likely used as a decoy tactic, in order to spoof the malware's country of origin," BAE concludes in its blog post.

Researchers found additional false-flag evidence in another malware sample filled with poorly translated words –  this one a malicious implant used to compromise at least one of the watering hole websites, apparently by exploiting a flaw in JBoss. In its blog post, BAE notes that one code fragment in the malicious script contained the Russian word "chainik" and the English word "dummy."

"As such, it is obvious that the word 'dummy' has been translated into 'chainik.' However, the word 'chainik' in Russian slang (with the literal meaning of 'a kettle') is used to describe an unsophisticated person, a newbie; while, the word 'dummy' in the exploit code is used to mean a 'placeholder' or an 'empty' data structure/argument," the blog post explains.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.