The so-called Lazarus hackers are currently targeting scores of banks and other organisations across 31 countries, Symantec warns.
The attacks appeared to have come to light after Polish banks – who had been hit by malware sent through their hacked financial regulator – "shared indicators of compromise (IOCs)" of those attacks with other institutions.
The attackers appear to be using compromised websites to redirect visitors to a customised exploit kit, which is pre-configured to only infect visitors from approximately 150 different IP addresses. These IP addresses belong to 104 different organisations located in 31 different countries. The vast majority of these organisations are banks, with a small number of telecoms and internet firms also on the list.
Lazarus has been linked to a string of aggressive attacks since 2009, largely focused on targets in the US and South Korea. Some of the tools used in the Bangladesh bank heist shared code similarities with malware used in historic attacks linked to the group.
Code strings seen in the latest malware used "shares commonalities with code from malware used by the threat group known as Lazarus, the group behind the Sony wiper attacks," according to Symantec.
More details on the attacks can be found in a blog post by Symantec here. ®