North Korea: According to a joint release from several United States Government agencies, North Korean hackers have been using many different malicious tools as part of several ongoing attacks targeting banks for the purpose of stealing money. The group, dubbed BeatleBoyz by the US Cybersecurity and Infrastructure Security Agency (CISA) overlaps with the North Korean threat actors referred to by private security companies as APT38 and the Lazarus Group. Attacks that abuse the SWIFT system to fraudulently transfer funds and other attacks that cause ATMs to dispense cash have been ongoing since February of 2020 and target financial institutions in 30 different countries around the world. Following a slowdown in banking attacks from North Korea in 2020, these malicious wire transfers and ATM cash-out attacks have gained momentum. The group is using spear-phishing, watering hole, and fake job applicant campaigns as an initial infection vector for their attacks. They have also utilized access provided by other threat actors such as TA505 to gain initial access to banks and launching final attacks–sometimes months later, after gaining persistence within targeted banks systems. Along with the alerts, CISA released Malware Analysis Reports (MARs) of multiple different malware used in the attacks such as CROWDEDFLOUNDER, ECCENTRICBANDWAGON, ELECTRICFISH, FASTCash for Windows, HOPLIGHT, and VIVACIOUSGIFT.
Analyst Notes
Up to this point, the campaigns being carried out by North Korea in 2020 were not seen in the United States. In September 2019, the US Treasury sanctioned three North Korean-sponsored threat actors. This may be why none of those three groups were named in these most recent attacks, though many members of the North Korean groups likely overlap. North Korea is constantly looking for attacks that allow them to make money. Targeting banks for fraudulent wire transfers and ATM cash outs is a way many threat actors target banks to steal money. Companies should have monitoring in place to detect these initial infections. Binary Defenses Managed Detection and Response monitoring is a great way to detect attacks early and prevent them from spreading through a company.
More can be read here: https://www.bleepingcomputer.com/news/security/us-govt-warns-of-north-korean-hackers-targeting-banks-worldwide/
The release can be found here: https://us-cert.cisa.gov/ncas/alerts/aa20-239a
