The US Department of Justice indicted two North Korean citizens who are believed to be…
As a result, the criminals managed to “earn” more than $ 200 million by compromising stock exchanges and companies in different countries of the world. The names of the affected companies were not disclosed due to agreements that involved the researchers.
Then the ClearSky experts concluded that the attacker was based somewhere in Eastern Europe, may be Ukraine, Russia or Romania.
However, after the publication of this report, other information security companies released their own investigations of similar attacks and technical details that corresponded to the tactics and methods of CryptoCore.
As a result, ClearSky experts have prepared a new report in which they compared data from the above studies with their own conclusions. It turned out that all these attacks can be safely attributed to the same criminal group.
In essence, the researchers agreed with the findings of F-Secure, which attributes the attacks to the well-known North Korean hack group Lazarus: the experts used YARA rules and correlated their findings with earlier research by ESET and Kaspersky Lab.
ClearSky writes that the YARA rule matches the old RAT reported by Kaspersky Lab in 2016 (bbd703f0d6b1cad4ff8f3d2ee3cc073c).
Although this became possible only after changing the name of the resource, which was different from the backdoor of 2016. For example, in the old version, the malware accessed a file named scaeve.dat, and in the new version, it accessed the perflog.dat file. Changing the filename helped the YARA rule find a match.
In total, more than 40 matching indicators of compromise were found in the reports of F-Secure, NTT Security and JPCERT/CC, as well as a VBS script, which was almost the same without obfuscation.
Considering all these similarities, the ClearSky researchers admit they made a mistake in attribution a year ago: they now believe that the CryptoCore campaign has a direct linkage with the North Korean hacker group Lazarus.
Let me also remind you about the fact that the Lazarus Group used ThreatNeedle malware against defence companies, as well as that US authorities indicted two more members of the Lazarus group.
News-xbuhoxu.store is a domain that tries to force you into subscribing to its browser notifications…
News-xbadeyo.today is a site that tries to force you into clik to its browser notifications…
News-bbutohu.info is a site that tries to trick you into clik to its browser notifications…
News-bbucoxe.today is a domain that tries to force you into clik to its browser notifications…
News-xdetake.cc is a domain that tries to force you into clik to its browser notifications…
News-bbufiya.today is a domain that tries to force you into subscribing to its browser notifications…