Lazarus group symantec12/30/2023 ![]() ![]() “Once these servers are compromised, previously unknown malware ( Trojan.Fastcash) is deployed. To make the fraudulent withdrawals, Lazarus first breaches targeted banks’ networks and compromises the switch application servers handling ATM transactions,” Symantec wrote in today’s blog post. “The operation known as 'FASTCash' has enabled Lazarus, to fraudulently empty ATMs of cash. Just before Mehta's finding, he identified a new URL-this time, one that begins with the characters "ayylmao.In addition to its 2014 attack on Sony Pictures, the Lazarus Group, also known as Hidden Cobra, has been attacking the ATMs of Asian and African banks since 2016, and today Symantec revealed that the group has been successful in its “FASTCash” operations by first targeting the banks' networks. The Dubai-based researcher has closely followed the WannaCry malware epidemic since Friday, and over the weekend he identified a new "kill switch" in an adapted version of the code, a web domain the WannaCry ransomware checks to determine whether it will encrypt a victim's machine. And it's tough to square the malware’s shoddy configuration and botched profiteering with the more sophisticated intrusions Lazarus has pulled off in the past.īut Suiche sees the Contopee link as a strong clue about WannaCry's origins. Even if researchers somehow prove that the North Korean government cooked up WannaCry, its motive for indiscriminately handicapping so many institutions around the world would remain a mystery. To write ransomware, target everyone in the world, and then make a fake attribution to North Korea-that would be a lot of trouble."įor now, plenty of unanswered questions remain. "Attribution can be faked," concedes Comae's Suiche. ![]() If the author of WannaCry isn't Lazarus, it would show a remarkable degree of deception for a cybercriminal group that has in other respects shown itself to be rather inept at making money WannaCry included inexplicable an "kill switch" in its code that limited its spread, and even implemented ransomware functions that fail to properly identify who's paid a ransom. More recently, Kaspersky and other firms have argued that the impoverished country recently expanded its techniques to outright cybercriminal theft, like the SWIFT attacks. Over the past decade, the country's digital attacks have shifted from mere DDoS attacks on South Korean targets to far more sophisticated breaches, including the Sony hack. But WannaCry would fit the Hermit Kingdom's evolving playbook of hacker operations. This group might be behind WannaCry also."Īny link to North Korea is far from confirmed. "WannaCry and this attributed to Lazarus are sharing code that’s unique. "There’s no doubt this function is shared across these two programs," says Matt Suiche, a Dubai-based security researcher and the founder of the security firm Comae Technologies. The latter has been used by a group known as Lazarus, a hacker cabal increasingly believed to operate under the North Korean government's control. Researchers immediately followed Mehta's signposts to an important clue: An early version of WannaCry-one that first surfaced in February-shared some code with a backdoor program known as Contopee. They referred to two portions of code in a pair of malware samples, along with the hashtag #WannaCryptAttribution. On Monday, Google researcher Neel Mehta issued a cryptic tweet containing only a set of characters. As the WannaCry ransomware epidemic wreaked havoc across the globe over the past three days, cybersecurity researchers and victims alike have asked themselves what cybercriminal group would paralyze so many critical systems for such relatively small profit? Some researchers are now starting to point to the first, still-tenuous hint of a familiar suspect: North Korea.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |