Research Saturday 3.9.19
Ep 76 | 3.9.19

Job-seeker exposes banking network to Lazurus Group


Dave Bittner: [00:00:02] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now a word about our sponsor, Juniper Networks. Organizations are constantly evolving and increasingly turning to multicloud to transform IT. Juniper's connected security gives organizations the ability to safeguard users, applications, and infrastructure by extending security to all points of connection across the network Helping defend you against advanced threats, Juniper's connected security is also open, so you can build on the security solutions and infrastructure you already have. Secure your entire business, from your endpoints to your edge, and every cloud in between, with Juniper's connected security. Connect with Juniper on Twitter or Facebook. And we thank Juniper for making it possible to bring you Research Saturday.

Dave Bittner: [00:01:13] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data - all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Vitali Kremez: [00:01:53] We've been tracking Lazarus Group, or the group known to be operating under the umbrella, I guess, named Lazarus.

Dave Bittner: [00:01:59] That's Vitali Kremez. He's Director of Research at Flashpoint. The research we're discussing today is titled, "Disclosure of Chilean Redbanc Intrusion Leads to Lazarus Ties."

Vitali Kremez: [00:02:10] They're known for one of the most sophisticated, financially-motivated hacks we've seen in the past linked to, of course, the bank heist, and many, many others. So, they've continuously been targeting various financial institutions, and they're considered to be one of the most formidable groups that - doing that. So, we've been tracking them, and through our tracking, and of course, collaboration with other researchers, everything that we can find about this group is very interesting to us. Because their primary goal, of course - actually, the group has multiple goals - but one of the goals is to bring cash, or the money, back to the economy of North Korea.

Vitali Kremez: [00:02:44] So, they're very unique in the way they're positioned, and they're possibly very agile, and they're very active. So, that always always heightens our interest related to this group and what they've been working on. So, while we've been tracking, we identified one sample called PowerRatankba, which is a PowerShell toolkit. And then, while we were looking deeper, of course, and then there'd be - the open-source reporting came out, saying that the Redbanc suffered a breach, and they connected to one of the malware which they didn't identify, we found the traces of Lazarus. And this of course raised lots of interest and lots of attention from our clients, and both industry-wide.

Dave Bittner: [00:03:20] Well, let's walk through what you found here. This one starts with kind of an interesting initial attack vector. Can you describe to us what happened?

Vitali Kremez: [00:03:27] Sure. The attack vector is indeed very, very interesting. It's essentially what had been reported actually, and what had been semi-confirmed by the Redbanc as well, that a developer - who was an employee working for Redbanc, essentially - was approached by someone on LinkedIn, on social media, offering a job. And then once they go into the job interview process - and essentially even had an interview over Skype in Spanish, which is very, very interesting - they establish a kind of trust relationship, which oftentimes really helps the malicious actors or nation-state groups to really deliver the payloads where they need to be. And then, through that relationship, the employee received a payload, which essentially was "ApplicationPDF," which is a kind of a binary executable which had a covert function.

Vitali Kremez: [00:04:15] So, this was not only a fake application, but it had also a purpose to essentially download and install PowerRatankba, which was the reconnaissance tool used by the Lazarus Group. From our experience, you know, like when we look at the groups such as Lazarus or FIN7 - they also rely heavily, actually, on building this relationship and using this targeted approach, which allows them to be more successful with their payloads.

Dave Bittner: [00:04:39] Yeah, I mean, it's an interesting one because, you know, like you said, it started with social engineering, but also interesting - I guess, a lesson for us all - that I guess this employee was responding to a job offer on his work computer.

Dave Bittner: [00:04:53] Indeed. There's a lot of lessons to learn here - lessons to learn how sophisticated and resourceful the group is, and how targeted their approach can be, even crossing, like you said, into the social engineering realm. But also how the employees should not probably use the social media while they're at work, or download additional tools while they're employed by any company. Yet again, it highlights both the attack vector, as the possible employee who can be browsing social media and being approached by the groups, but also highlight the possible, like, strategies how we can think about network hygiene of applying maybe defenses, and looking deeper into social media relationships, or the access the employees might have - could that yet again open the door to that intrusion?

Dave Bittner: [00:05:35] Yeah, in that social engineering angle - I mean, these folks did their homework to go through the ruse of a job interview enough that they gained this person's trust and got them to download the payload.

Vitali Kremez: [00:05:48] Indeed. Indeed. And it's very interesting, if you also take into account that the group was - had North Korean affiliation. So this means that they have more resources and linguistic expertise at their disposal, too. Definitely, that's one of the most - that's what makes this group very, very interesting. Not necessarily even the biggest hacks they've had, but also, for example, their abilities to social engineer, or abilities to essentially have access to sophisticated payment methods, or move money across the chain like they were looking into from the bank heist. So, that's what makes this group unique and so interesting.

Dave Bittner: [00:06:21] So, this person thinks that he's applying for a job, and he downloads this file that he thinks is going to be part of that process - what happens next?

Vitali Kremez: [00:06:30] They download the file, and the file essentially is called "ApplicationPDF.pdb." So, they execute - and then they've been asked to execute, essentially, the document - which is essentially not a document, which is an executable. But the executable itself is essentially - it's a .NET application which contains the covert function inside of it. One of the functions is called, essentially, "ThreadProcedure," that essentially decodes the Base64 encoded values and executes - essentially, it calls the server covertly while you launch this application. So, it does its own function while this application is opened. It actually - it acts as a downloader of additional malware toolkit. So, yeah it has a second meaning beyond just the application process. So, without knowing the employee was running, essentially, the tool that it would download the additional PowerRatankba toolkit. So that's essentially what it was doing in the background.

Dave Bittner: [00:07:22] To the person who downloaded this and executed the file, this still looked like it was part of a job application process?

Vitali Kremez: [00:07:31] Indeed. Whenever you launch this application, it looks like a pretty simple one where, essentially, you would list your credentials, you would list where the job you're interested, the salary, desired salary, et cetera. So, it does look like a legitimate application. Actually, they even mimic the legitimate company called "Global Processing Center, Ltd," which is of course not the real company that's used by Lazarus, but there is a company that exists that provides software related to that. So, they did their reconnaissance, and they tried to essentially stay off the radar and tried not to be detected, by mimicking legitimate tools and behaviors that they observed in the past from other employees. So, yes, they did their homework.

Dave Bittner: [00:08:13] This user is looking at this fake job application, and meanwhile, in the background, this PowerRatankba payload gets downloaded. And so, what is it up to behind the scenes?

Vitali Kremez: [00:08:24] What's an interesting fact - when the report actually came out, they noted that the malware that they discovered - which they didn't say, actually, publicly, or, you know, they left open to interpretation - but it contains multiple layers of PowerShell code. And they said the malware they discovered was not detected by any antivirus engines or solutions they've had. One interesting thing is how the criminals - or how, rather, the nation-state actors - they've been bypassing that. They've been bypassing that in layers of PowerShell encoded code.

Vitali Kremez: [00:08:55] So, what's happened is, it's actually downloaded the intermediary code, which - the only function of this intermediary code would be to translate, to decrypt the second-stage code using Base64, Rijndael with SHA256. Walking through that is the function “crypt_do,” essentially decrypting the PowerRatankba, and executing that. And one of the interesting things we've seen is, as the groups move towards scripting language malware - more like high-language programming malware - it's actually defeated certain antivirus detection. That's been a known fact, specifically with PowerShell and, of course, the JavaScript loaders, because it's so much harder to fingerprint or signature them, and it's so easily - easier to obfuscate the meaning of them.

Vitali Kremez: [00:09:38] And then, once essentially they decoded that, they unwrapped the whole PowerRatankba - actually, version B, as detailed by our colleagues at Proofpoint - and one of the interesting insights about that version that was actually communicating on HTTPS, which was probably a new invention since the Proofpoint report - and we saw clearly that it resembles PowerRatankba in memory and it was starting collecting information about the machine and sending information elsewhere. So that's what we've been observing, and detailed in our report.

Dave Bittner: [00:10:07] And so, what does it seem to be after here?

Vitali Kremez: [00:10:09] So here, essentially, what the script is doing - essentially doing, is very in-depth, I would say, reconnaissance about the machine where the malware was executed. So, it essentially collects all the information about what the computer information is. So it runs the certain scripts and Windows management instrumentation scripts, collects the computer name, it collects Windows architecture, languages of the system, service packs, even collects the file shares. For example, it hunts down for SMB mapped folders, RDP of course, checks for if RDP is open, checks different ports, obtains also the proxy setting, obtains the user information, obtains the processes.

Vitali Kremez: [00:10:48] And the idea for the group is to profile machines so well, so they avoid targeting, for example, researchers or anyone else, and they can hand-pick their targets based on their supposed results. So, for example, once they have a very good target with the bank information, when they can look at their logs and they can see that this specific machine - it has multiple, like, file shares available - it makes sense they're inside the bank. They will start executing and pushing towards additional payloads.

Vitali Kremez: [00:11:17] And of course, another thing what this group is doing is, very importantly, essentially checks the privileges. It checks what the malware privileges are - are they operating under, and do they actually need to, for example - or rather, can they create a service for persistency? So, they're looking for methods for persistency and they're looking for methods for reconnaissance about the victims. And the idea for that is, once they collect a little information, send it to the server, they will start moving towards next stage, which is likely additional malware toolkit or additional payload they would use for - to covertly watch the environment longer, and look for the methods how they can cash-out.

Vitali Kremez: [00:11:56] And we've seen, as a group, that they've been pursuing ATM networks with these FASTCash operations, for example, as detailed by US-CERT, where they've been actually watching slowly and looking into how the banks process SWIFT payments, for example, as was a big topic for a discussion we've had in the past. So, they've been next - they're going to be - next stage would be for them to watch them silently for maybe a week or two before they start moving deeper. This a significant dwell time, between how this sophisticated group operates, and it's lucky that actually Redbanc was able to catch them earlier.

Dave Bittner: [00:12:27] And so how were they caught? How did Redbanc discover that they were in their network?

Vitali Kremez: [00:12:32] Actually, this remains to be one of the mysteries. We don't entirely know how they've been discovered. In many cases, the group's been discovered at the point of cash-out, when the banks identify suspicious transaction go to the bank network, or will compromise ATM devices. Here, it appears to be actually the bank was able to fully minimize the intrusion - potential intrusion, of this attack. It's not really clear, and we actually don't have evidence to truly know that, but it seems like they were able to do so.

Vitali Kremez: [00:12:59] Sometimes, actually, this group has been caught - it's my experience, I've seen - is on the points of lateral movement. So, for example, if they start moving too fast across the network, and very proficient or effective network hunters catch them on that level, and they stop them and essentially eradicate the attack. That's what's been their point of weakness. But here it's yet to be determined. We don't fully know that, as of now.

Dave Bittner: [00:13:24] So, all signs point to this being the Lazarus group. Can you describe to us - what do we know about Lazarus, and why in this case do we point in their direction?

Vitali Kremez: [00:13:35] So, first of all, Lazarus has so many different names. It's also called Lazarus Group, Hidden Cobra, Kimsuky - it's an APT group, essentially - advanced persistent threat group. It's - which is allegedly comprised of operators from Bureau 121, which is this cyberwarfare division of North Korea's military. And the group has been active since 2009. And actually, one of the interesting things, as I mentioned earlier, that the group's not only interested in actually some potential politically-motivated attacks, but also pursuing and exploiting financial institutions. And it's one of the most formidable in that area.

Vitali Kremez: [00:14:09] What makes them essentially so unique, and also - they also heavily target Latin American financial institutions and they've been doing that in the past - specifically in Chile actually. And here, the connections to the Lazarus Group is made through their PowerRatankba toolkit, which is very unique PowerShell tool that's attributed to them since 2017. What the interesting thing is, we've seen, with the Lazarus Group, the evolution.

Vitali Kremez: [00:14:34] So, in 2016 they used the toolkit identified as Ratankba by researchers - I think initially by Trend Micro. Ratankba was a toolkit they used, which is essentially binary tool compiled in a Windows system, essentially, used - and contained very similar arguments that the PowerRatankba has. But it's both more of a static, I guess, and didn't contain the scripting language advantages that the PowerRatankba has.

Vitali Kremez: [00:14:59] But we've seen with the public reporting, with the news, and the attention that the group achieves, or obtained, through researchers and news and media coverage, it's actually adopted this Ratankba towards PowerShell. So it has their unique structures, their unique URL patterns, their unique code that's only unique to the Lazarus Group we've seen, and no one else, as far as we know.

Vitali Kremez: [00:15:22] So that's what makes it actually quite interesting for us. This unique targeting of financial institutions, coupled with sophisticated attacks, and the unique technical code overlap. Essentially, in our blog, as we detailed the very unique code overlaps with PowerRatankba, which makes the connection apparent and evident from the technical perspective.

Dave Bittner: [00:15:41] And so, what are your recommendations for folks to protect themselves against this? What steps should they take?

Vitali Kremez: [00:15:46] That's a very good question. So, when this group essentially targets the banks, or targets individuals, they usually have done lots of reconnaissance, or they actually have lots of resources to do that. And oftentimes, you know, whatever defenses we might have, they were able to employ certain measures, or essentially tools, to bypass them. What's interesting here is that, as we discussed earlier, the social engineering component.

Vitali Kremez: [00:16:12] So, whenever we think about the attacks like Lazarus Group, we often times think about very sophisticated malware intrusion where we don't know what was the initial attack vector. Here, we're lucky to have actually reported this social engineering attack vector. So, monitoring employees who might have access to social media, specifically at work, specifically if they're going to go to LinkedIn, or essentially for, you know, for example, Skype, and use it for professional network rather than for business purposes, that might be a possible flag to investigate.

Vitali Kremez: [00:16:44] And essentially, one interesting thing is how you can defend against those attacks is, of course, looking into - I'm a huge fan of the ATT&CK framework. ATT&CK framework was based on, essentially, well before we had on the Cyber Kill Chain. So, look into the vulnerabilities that the company might have towards the social engineering, trusted relationship aspect. And essentially, testing this method out. The attack has been detailed, and we provide in our blog - reviewing how would the company posture might be across this chain. For example, how likely it is if the employee from Bank XYZ gets reached out by somebody who is trying to recruit, and essentially deploys a toolkit known to be Lazarus one. So, that's one.

Vitali Kremez: [00:17:27] But of course, on a technical level, on a very tactical one, monitoring for indicators of compromise, deploying the Yara signatures across the network environment, monitoring for suspicious activity, essentially looking for the hackers the attackers moving towards the ATM environment, SWIFT gateways. Looking for unauthorized or irregular activity in those areas. But here, the added twist is that we should be also looking to social media as the potential attack vector for that to unfold. So, there's lots of lessons to be learned here, actually, and specifically on the social engineering aspect, and how people can be essentially accelerators, or essentially unwitting helpers to this group to install their payload.

Dave Bittner: [00:18:07] Yeah, it's certainly an interesting one, and I suppose it also points to the fact that you can't underestimate groups like this, in terms of the resources that they bring to bear to get at what they want.

Vitali Kremez: [00:18:19] Indeed. Indeed. You can never underestimate Lazarus. It's really one of the most formidable APT groups we had seen lately, in the past. And we've - we can apparently - we assess with moderate confidence that they will continuously be one of the most formidable groups in the future. So yes, we should never underestimate, especially the actors or the attackers who have so many resources and so much backing from the government.

Dave Bittner: [00:18:43] Yeah, I suppose also there's this educational and training component with your employees, to face the reality and say, listen, if you're looking around for other opportunities, well, please do us a favor and do that on your personal machine.

Vitali Kremez: [00:18:56] Indeed. Indeed. Definitely don't do it on the corporate machine or environments, and isolate actually those machines, actually, from being available to even - to social media, and Skype, and others. So yes, definitely there is an educational component can cause leadership in that as well, that might actually be the fourth catalyst for future, maybe possible positive changes in that area...

Dave Bittner: [00:19:18] Yeah.

Vitali Kremez: [00:19:18] ...For security.

Dave Bittner: [00:19:19] So, since you all published this particular bit of research, there's been some additional information that's come along.

Vitali Kremez: [00:19:27] Yes, indeed. Actually, there's a company that followed up on our intelligence report, and our research, called QuoScient's Intelligence Operations Team. They also uncovered, potentially, that a Pakistani financial service provider and its employee was also targeted by the same malware and the same attack chain, just like the Lazarus ones who targeted Chile. And actually they detailed in their blog, essentially, it points out that, potentially, this group was targeting in two different fronts - in two different directions. While they also were in Chile pursuing Redbanc intrusion, they also were targeting Pakistani financial institutions. Which also kind of makes sense, since they've been very active in both the Asian and Latin American states.

Vitali Kremez: [00:20:10] One interesting thing there, also, to note - that actually Pakistan previously, and an Islami bank, previously reported suspicious ATM activities or irregularities, potentially, with a big heist. And we couldn't figure it out back then what was the - essentially, the reasoning behind that, what was the possible explanations of that. So, that report might also fill some of those gaps related to the cash-out. It's still yet unconfirmed, but yet again, there is possible evidence of the group also operating in Pakistan, as of the latest report. So, something to keep track of.

Dave Bittner: [00:20:45] Yeah. Another piece of the puzzle and, you know, nice that you all reach out to each other and share your finding from organization to organization.

Vitali Kremez: [00:20:53] Indeed. To truly defeat those threats, it's important for us to collaborate and share intelligence. Because they collaborate and share intelligence to target us, and we be collaborating and sharing intelligence how to protect against them. So, it's imperative in our industry in this age.

Dave Bittner: [00:21:11] Our thanks to Vitali Kremez from Flashpoint for joining us. The research is titled, "Disclosure of Chilean Redbanc Intrusion Leads to Lazarus Ties." We'll have a link in the show notes.

Dave Bittner: [00:21:24] Thanks to Juniper Networks for sponsoring our show. You can learn more at, or connect with them on Twitter or Facebook.

Dave Bittner: [00:21:33] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.