This article is more than 1 year old
Recycled malware code 'links' SWIFT bank heist to Sony ransackers
Who's cut'n'pasting routines – the Norks or someone trying to blame the Norks?
Five additional pieces of malware suggest there is a stronger tie between North Korea's Lazarus Group of hackers and last month's run of cyber-attacks on banks.
A study by Anomali Labs' senior security researcher Aaron Shelmire expands upon Symantec's earlier findings. According to Symantec, two pieces of malware were used to pull off the bank thefts; these programs included two chunks of code that also appear in a software nasty written by North Korea's Lazarus Group.
That led to the suggestion that the North Korean hackers were involved in the string of attacks on international banks over recent weeks, including the $81m mega-heist at the Bangladeshi Central Bank. These cyber-robberies relied on malware infecting bank terminals to obtain login credentials for the SWIFT messaging system, allowing crooks to slip in remotely and move money as they pleased.
The Lazarus Group was previously blamed for the Sony Pictures attack, which involved the swiping of emails and all manner of sensitive files, as well as trashing the film studio's computer network. (Many remain skeptical that the Norks had anything to do with the Sony ransacking, though.)
After searching through databases of malicious executables, five additional pieces of malware were found containing portions of code shared by Lazarus Group's malware and the SWIFT-manipulating malware, according to Shelmire. These particular software nasties are believed to have been used by the North Koreans against other systems in the past.
All in all, it's a mix of detective work and guesswork at this stage: the shared routines were picked up using Yara, and there's nothing stopping a cyber-bank robber from lifting code from someone else's malware to use in their own software nasties. It may even be a good idea to do so, as it muddies the tracks.
All we know, really, is that code from one evil program – built by the North Korean Lazarus Group – somehow made its way into other programs, including ones used to infiltrate SWIFT terminals. That's why DFIR – Digital Forensics, Incident Response – is tricky at best. ®