FEIB heist is linked with Lazarus group

Delaware, USA – October 18, 2017 – BAE Systems, the company involved in the investigation of the recent theft of $ 60 million from a bank in Taiwan, reported on its blog about new details. At the moment, the bank managed to return most of the funds, and two suspects that were detained in Sri Lanka, who tried to withdraw money transferred from Far Eastern International Bank. The researchers analyzed the attack timeline and used malware, and linked this theft with cybercriminals from North Korea – the Lazarus group. Attackers dropped backdoor into the bank’s network using spear phishing and gathered information about antivirus solutions and admin credentials. Then they compiled malicious software (bistran.exe) and dropped on the infected systems. The created virus established a persistence on the systems, disabled anti-virus software and then unpacked and ran additional malicious payload from archive hidden in the BMP file. Further, using stolen admin credentials, SMB and port 445, malware spread over the network. To compromise SWIFT financial system, attackers used the same Lazarus malware that was used in attacks on banks of Poland and Mexico. During this attack, hackers tried to use the modified Hermes Ransomware to hide the traces of the attack and funds translations. While transferring $60 million to the banks of Cambodia, the US and Sri Lanka, adversaries made some mistakes in specific fields, so that the bank was able to track and recover most of the stolen money.

This year hackers from the Sandworm APT group used Ransomware as a cyberweapon and as a tool to hide the traces of their activities. It seems that other groups are also starting to adopt this technique. To timely detect threats, it is necessary to identify and investigate any suspicious security events. SIEM use cases Ransomware Hunter Advanced and APT Framework are designed to detect sophisticated cyberattacks in different stages of the Cyber Kill Chain. Leveraging this use cases you will be able to detect both suspicious disabling of antivirus solutions, as well as lateral movement attempts or Ransomware attacks.