Skip to main content

North Korean Hidden Cobra APT targets Turkish financial industry with new Bankshot malware


North Korea-linked APT group Hidden Cobra (aka Lazarus Group) is targeting the Turkish financial system.

Experts from McAfee observed the hackers using the Bankshot implant in targeted attacks against the financial organizations in Turkey. The attack resembles previous attacks conducted by Hidden Cobra against the global payment network SWIFT.

Bankshot was first reported by the US DHS in December, now new variants of the malicious code were observed in the wild  The sample analyzed by McAfee is 99% similar to the variants detected in 2017.

The hackers used spear-phishing messages with a weaponized Word document containing an embedded Flash exploit that triggers the CVE-2018-4878, Flash vulnerability that was disclosed in late January.
Adobe promptly patched the vulnerability with an emergency patch, but many computers are still vulnerable because the owners did not apply the patch.

According to McAfee, the implant’s first target was a major government-controlled financial organization that was targeted on March 2 and 3.
Later, the same malware implant infected a Turkish government organization involved in finance and trade and a large financial institution.
The implant has so far not surfaced in any other sector or country. This campaign suggests the attackers may plan a future heist against these targets by using Bankshot to gather information.

McAfee’s report on the campaign says that one government-controlled financial organization, a government organization involved in finance and trade, and three large financial organizations.

The attackers leveraged the Flash exploit to deliver the Bankshot RAT.
“Bankshot implants are distributed from a domain with a name similar to that of the cryptocurrency-lending platform Falcon Coin, but the similarly named domain is not associated with the legitimate entity.” reads the analysis published by McAfee.

“The malicious domain falcancoin.io was created December 27, 2017, and was updated on February 19, only a few days before the implants began to appear. These implants are variations of earlier forms of Bankshot, a remote access tool that gives an attacker full capability on a victim’s system. “
Spear phishing messaged used a Word document with the filename Agreement.docx, that appears as a template for Bitcoin distribution.
Hidden Cobra bait document
When the open it, the code it contains download malicious DLLs from falcancoin.io domain.

Experts discovered that the DLLs communicate with three control servers whom URLs are hardcoded in the implants’ code.

“The implants (DLLs) are disguised as ZIP files and communicate with three control servers, two of them Chinese-language online gambling sites. These URLs can be found hardcoded in the implants’ code” continues McAfee.
The malicious code is able to perform several malicious operations, including file deletion, process injection, and exfiltration over command and control channel.
Further details, included the Indicators of Compromise (IoCs) are included in the analysis.

Comments

  1. Pedro Santa CruzJuly 18, 2021 at 1:12 PM

    Recording success in Cryptocurrency, Bitcoin is not just buying and holding till when bitcoin sky-rocks, this has been longed abolished by intelligent traders ,mostly now that bitcoin bull is still controlling the market after successfully defended the $40,000 support level once again ad this is likely to trigger a possible move towards $50,000 resistance area However , it's is best advice you find a working strategy by hub/daily signals that works well in other to accumulate and grow a very strong portfolio ahead. I have been trading with Mr Carlos daily signals and strategy, on his platform, and his guidance makes trading less stressful and more profit despite the recent fluctuations. I was able to easily increase my portfolio in just 3weeks of trading with his daily signals, growing my 0.9 BTC to 2.9BTC. Mr Carlos daily signals are very accurate and yields a great positive return on investment. I really enjoy trading with him and I'm still trading with him, He is available to give assistance to anyone who love crypto trading and beginners in bitcoin investment , I would suggest you contact him on WhatsApp: +1(424)285-0682 and telegram : @IEBINARYFX for inquires and profitable trading platform systems. Bitcoin is taking over the world.

    ReplyDelete

Post a Comment

Popular posts from this blog

‘Infraud’ Cybercrime Forum is Busted, 13 hackers arrested & 36 charged

The U.S. Justice Department announced charges on Wednesday against three dozen individuals thought to be key members of ‘ Infraud ,” a long-running cybercrime forum that federal prosecutors say cost consumers more than a half billion dollars. In conjunction with the forum takedown, 13 alleged Infraud members from the United States and six other countries were arrested. Started in October 2010, Infraud was short for “In Fraud We Trust,” and collectively the forum referred to itself as the “Ministry of Fraudulently [sic] Affairs.” As a mostly English-language fraud forum, Infraud attracted nearly 11,000 members from around the globe who sold, traded and bought everything from stolen identities and credit card accounts to ATM skimmers, botnet hosting and malicious software. “Today’s indictment and arrests mark one of the largest cyberfraud enterprise prosecutions ever undertaken by the Department of Justice,” said John P. Cronan , acting assistant attorne
2 comments
Read more

Czech Republic announced it had extradited the Russian hacker Yevgeni Nikulin (29) to the United States

Yevgeni Nikulin (29) was requested by the US for alleged cyber attacks on social networks and by the Russian authorities that charged him with frauds. According to US authorities, the man targeted LinkedIn and Formspring and hacked into the file hosting service Dropbox. The Russian criminal was arrested in Prague in October 2016 in an international joint operation with the FBI. The case in the middle of an arm wrestling between Moscow and Washington, the US Government are accusing Russia to have interfered with 2016 Presidential election  through hacking . Source: US Defense Watch.com In May, a Czech court ruled that Nikulin can be extradited to either Russia or the United States, leaving the final decision to the Justice Minister Robert Pelikan. “It is true there have been two meetings this year where the president asked me not to extradite a Russian citizen to the United States but to Russia,” the website of the weekly newspaper Respekt quoted Pelikan as sayin
2 comments
Read more

NanoCore developper busted and senteced for 33 months

  A hacker who was arrested and pleaded guilty last year—not because he hacked someone, but for creating and selling a remote access trojan that helped cyber criminals—has finally been sentenced to serve almost three years in prison. Taylor Huddleston, 26, of Hot Springs, Arkansas, pleaded guilty in July 2017 to one charge of aiding and abetting computer intrusions by building and intentionally selling a remote access trojan (RAT), called NanoCore , to hackers for $25. Huddleston was arrested in March, almost two months before the FBI raided his house in Hot Springs, Arkansas and left with his computers after 90 minutes, only to return eight weeks later with handcuffs.   This case is a rare example of the US Department of Justice (DOJ) charging someone not for actively using malware to hack victims' computers, but for developing and selling it to other cybercriminals. Huddleston admitted to the court that he created his software knowing it would be used
1 comment
Read more