Delaware, USA – April 6, 2018 – Security researchers from ESET published a report on the investigation of the attack targeted an online casino in Central America. They linked this cyberattack with high confidence to the North Korean hacker group Hidden Cobra, also known as Lazarus group. The group has been conducting successful operations around the world for several years, the last large-scale campaign was performed in early March against financial organizations in Turkey using Bankshot malware. In the attack against an online casino, attackers leveraged TCP backdoor NukeSpeed and session hijacker to collect information, drop malware and inject malicious processes. Hidden Cobra used infamous tools Browser Password Dump and Mimikatz to steal credentials and spread malware over the organization’s network, and to remove traces of their activity, they infected more than 100 systems with KillDisk modifications, very similar to those used in early 2018 in attacks against financial organizations in Latin America.
Hidden Cobra’s toolkit for each campaign changes, but the group continues to use tools that have proven their effectiveness. Bonus use case Hidden Cobra Tracker in Threat Detection Marketplace is designed to detect the traces of Bankshot malware. It is almost impossible to track usage of Mimikatz tool for credential dumping but you can use Mimikatz Defence Framework to detect attempts of using stolen credentials.