North Korea: According to a joint release from several United States Government agencies, North Korean hackers have been using many different malicious tools as part of several ongoing attacks targeting banks for the purpose of stealing money. The group, dubbed BeatleBoyz by the US Cybersecurity and Infrastructure Security Agency (CISA) overlaps with the North Korean threat actors referred to by private security companies as APT38 and the Lazarus Group. Attacks that abuse the SWIFT system to fraudulently transfer funds and other attacks that cause ATMs to dispense cash have been ongoing since February of 2020 and target financial institutions in 30 different countries around the world. Following a slowdown in banking attacks from North Korea in 2020, these malicious wire transfers and ATM cash-out attacks have gained momentum. The group is using spear-phishing, watering hole, and fake job applicant campaigns as an initial infection vector for their attacks. They have also utilized access provided by other threat actors such as TA505 to gain initial access to banks and launching final attacks–sometimes months later, after gaining persistence within targeted banks systems. Along with the alerts, CISA released Malware Analysis Reports (MARs) of multiple different malware used in the attacks such as CROWDEDFLOUNDER, ECCENTRICBANDWAGON, ELECTRICFISH, FASTCash for Windows, HOPLIGHT, and VIVACIOUSGIFT.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in