It was recently discovered that the Lazarus Group was likely behind a compromise of Redbanc, the company responsible for the interconnectivity of the ATM’s of all Chilean banks. The breach only came to light after a Senator within Chili who was briefed on the compromise chastised Redbanc for not disclosing the breach publicly. Lazarus Group gained access to Redbanc’s systems after a Skype call with a Redbanc employee. The group posted an ad on LinkedIn for a developer, which was later applied for by the Redbanc employee. The group set up a Skype interview with the employee and then during the interview requested that the employee download and run a file named ApplicationPDF.exe under the guise that it was part of their recruitment process. The file in reality installed the PowerRatankba malware onto the employee’s computer. The malware collected information about the employee’s computer including username, hardware, operating system, proxy settings, a list of current processes, if the infected machine had RPC and SMB open file shares, and what the status of their RDP connection was. This provided the attackers with the needed details to launch another attack on Redbanc which gave them further access into Redbanc’s systems. This is not the first time that Lazarus Group has targeted Chilean financial institutions–Banco de Chile was previously compromised by Lazarus Group as well. As the investigation into this attack continues, a better understanding of how widespread the infection became should become clearer.
