Lazarus On The Rise: Insights From SWIFT Bank Attacks

hi everyone I'm Sahara I work at the a systems and I'm a threat intelligence analyst today I'm gonna be talking to you about Lazarus and going through some Swift bank heists so let's kick it off so I'm first gonna start by looking at just briefly the evolution of kind of how we've gotten to this gotten to this spot and and the bank heists that we see today I'm starting out with kind of more criminal operations low-level stuff then we'll talk about the entrance of Lazarus to the scene and get into the swift bank heist he studies and then I'm just gonna look at a little bit of a evolution of tools and kind of compare their back doors just just

high-level stuff and then talk about some unknowns that um all of us who have been investigating the the actor and these cases kind of are still mystified by and maybe some potential theories and then I'll wrap it up with some conclusions and outlook for future future attacks so it used to be that you know attacks would really be a low-level kind of opportunistic target the low-hanging fruit and really didn't need many resources so you're looking at phishing and web attacks and things like that we moved on to kind of getting more planned and maybe even in small groups but more commercialized so kind of buying off the shelf tools and then we're getting into more organized kind

of attacks with full teams and people that can be hired and developing you know banking Trojans and ransomware and then moving on to kind of the tailored attacks that we see today and how targeted intrusions are becoming the norm so this is kind of where I want to start introducing Lazarus and this is you know an investment of time and sophistication and a lot of planning and coordination and the payoffs are actually a lot better as you'll find out so just to recap I'm sure a lot of you have heard of the bum bass bank heist because we never stop talking about it and this was pretty pretty big milestone and kind of kicked off the

investigations into this group in the Swift heist capacity so this was back in 2016 and really at the time it was it was pretty high-profile in terms of the intrusion itself but also the subsequent money laundering I'll kind of talk about that a little bit but I think one of the important things to note now obviously is that it definitely wasn't a one-off which people thought it was at the time so just a quick rundown of what happened so basically there was a lot of again planning and coordination that went into this so there's the set up in May 2015 the attackers have set up accounts in the Philippines and Sri Lanka in preparation presumably and there was

recon up to 18 months before the actual heist the intrusion happened on a Thursday the attacker has executed the Swift transactions to send money to those accounts that they had set up Bangladesh Bank noticed issues with the printers on the Friday and the Swift era showed up on Saturday as did the messages from the Federal Reserve and the last activity that we saw from the attackers was on was on Saturday so this happened over a bank holiday weekend the Monday was Chinese New Year and in Bangladesh the weekend is the Friday and Saturday so there was basically four days where people weren't able to notify and basically caused a bit of a delay in terms of addressing addressing the issue

which obviously was well thought out by the attackers so then finally Tuesday comes around and stop orders are issued from Bangladesh Bank to the Federal Reserve and 850 million ends up being blocked 20 million doesn't go through to the sri lankan accounts because of a typo and then the 81 million goes to the accounts and the Philippines and then goes on to be laundered through the casinos so really what I want to point out here is kind of the sophistication and the inside knowledge of how the Swift systems work so the attackers were able to manipulate the printers the balances on the swift messages and then the printer is to cover them up to hide those fraudulent

transactions so really good knowledge of the banking operations and and business processes so fast forward to 2018 and two years later we see the heist not only continuing but increasing so just in 2018 I think we've seen eight public ones at least so I'm gonna get into a couple different examples but basically what you see here is that we got definitely gone global they had the attackers were definitely focused on kind of Southeast Asia regionally but expanded to Latin America and India has become quite a hot spot so the frequency is also increasing see almost one a month so this is definitely kind of a continuing continuing threat and now I'm gonna get into some of the

examples so the first one will be banco de chile which happened in 2008 2018 and basically what happened was some very nice friendly people posted on twitter about how their computers wouldn't boot and this was employees of the bank and luckily the bank tags their monitors with locations so we were able to figure out what bank and then start investigating this particular case so this was you know a targeted intrusion just like the others and went after millions so there was the theft but there was also kind of the destructive element which I will get into in a second but basically that was to divert attention away from the actual heist so you know occupy the IT teams the

security teams and basically present them with a bigger problem than the actual money getting stolen so there they did use a new tool MBR killer which I'll which I'll talk about but actually it wasn't the first time that we saw destructive tactics and I think that would have been Taiwan which was in October 2017 so now I'm going to just high level view of how I'm be ocular kind of the highlights of it so this targeted secure NTFS it sorry targeted partitions and the wiper was implemented in an sis language so the installer was doing the wiping as opposed to dropping a wiper which then did it it matched with kind of previous Lazarus tools and

ops that we've seen so protected with VM protect so the kind of the same cracked version as before we what was interesting is that we didn't actually identify other samples that were similar to this one and it was it might be because it was used as a one-shot tool even though we which I'll talk about later with with how Lazarus is acquiring all these wipers so the second case study that memo pad is cosmos and this one is quite interesting for a different reason so the wiper aspect of Banco de Chile made it made it pretty significant and definitely the the bank's kind of services went down I'm sorry went down for for several days and just took out

the bank's network and it was completely inaccessible so I'll talk about kind of how the the tactics are have been getting more aggressive so thank you Chile at this right cosmos happened last month in August and it's cosmos is a is a co-operative bank in India which again has become a favorite of Lazarus these days so basically this started when the FBI released an alert on August 9th about an imminent ATM cashout scheme so at the time we didn't know that this was related we only figured it out after her two days later the actual cashing out started so in total this was about 15,000 transactions and I think 11 million 11 million dollars across 28

countries mostly visa and mostly outside of India and then a couple days later we see the Swift transactions happen so these were I think a total of 2 million and then cosmos pick up on this and reports to the police and and they kind of issued the press releases and things like that and we you know we keep investigating the bank's cut and network went offline for a couple weeks at least I don't think they've reached full functioning capacity still but it was basically a pretty big hit so I'll just talk through the ATM cash ups this was kind of the really interesting bit of the this particular attack so the attackers got hold of cloned card

details and we actually still don't know how this happened it's possible they got them directly from the bank but because of their you know really good and prolonged access but actually there's been no confirmation of this so then they make the request to withdraw money from the ATM oh sorry that there's sorry there's a network of mules across those 28 countries and they make the request to withdraw from the ATM so these transactions you know go through the normal ATM processes the transaction process or the interchange Network and finally the issuing bank which in this case is cosmos so the cloned card details are one thing but then now when you put that kind of request through

the the bank will want the details of the transaction so how much money you want to withdraw the pin number and then they have to authorize it so usually this is where such transaction would have been stopped if it looks fraudulent but the attackers in this case had a way of manipulating the authorization mechanism so that it would just approve them straight away so again this is pretty unclear about how they've actually done that and again they could have compromised some infrastructure earlier on and it could just be due to their they're really good access to the network but that still remains remains mystery so then the request comes back through the ATMs and the meals are able

to withdraw the cash so this is a point that I'll cover our kind of at the end and the unknowns and conclusions but in terms of where the money goes with the other heist that's been a pretty big pretty big mystery and having a coordinated effort across that many countries and likely through organized kind of crime criminal gangs only because I doubt Lazarus has personnel on the ground and in that many places is is like it is a pretty big pretty big deal so just to go through the tools just a little bit so nest egg is the old backdoor that we saw that was likely used in in in the Bangladesh Bank heist so this is a late-stage implant I'm used

for persistence it was there are some really interesting parts of it so the dropper would be securely deleted from the system and so we actually weren't able to look at that in depth but what we were able to see is the the back doors modular so there was a bunch of plugins and that includes a key logger and a screen shutter and those were actually the interesting bit so the attackers would be recording kind of all all the keystrokes and all the screenshots of the admin and be able to kind of if they put these together theoretically they would have been able to reconstruct kind of the way to get access into the access into the network

and admin privileges pretty easily in a step-by-step process so that was that was pretty significant so we saw nest egg being used over over a couple years and then up until about six months ago when there was a new backdoor which is called catch we called catch-22 so this is the one that was used in banco de chile and has been seen in several other intrusions it's particularly used to target banks very specifically and haven't hasn't seen hasn't been seen anywhere else also an late-stage attack tool and deployed on admin laptops but also hot on alliance access and alliance web platform so these are the swift systems these are both in the secure zones that you can see in the in the

graphic so called catch-22 because it has 22 functions but all the ones you would expect of a backdoor and to carry out this kind of attack the interesting bit about this backdoor is the command and control so usually malware is gonna run as a client and communicate with with the C&C but this one can also run in server mode so theoretically it could give commands to other other malware on the network so this is pretty interesting and it kind of plays into the segregated segregated networks attacks so the infected machines that sit on on the network boundaries can proxy connections on to other other machines on either side so this acts as a client and a server and has ability to

kind of initiate new connections and proxy traffic between multiple instances so the attackers are able to transparently traverse internal networks and issue commands or do recon against machines not connected to the internet so this is like pretty deep access and again so this will show you how they got access to the payment zones payment systems in the secure zones so Swift is trying to kind of commenced new security controls and you know use jump boxes but catch-22 basically circumvents that whole effort so now just to get into some of the interesting stuff that we don't know and maybe just speculate on some potentials so one why are there so many unknowns so there's a couple reasons for this the

banks that have been targeted again as I mentioned regionally are you know Southeast Asia Latin America and now India in more vulnerable vulnerable areas of the world maybe less kind of less attention on security but some of it they could probably target Western institutions and similar things would happen but some of it is more their ability to be kind of really vigilant and diligent about cleanup so deleting logs they're very careful not to leave traces and another thing is their presence in the network during these for these bank heists is usually a minimum of several months up to kind of 18 months that we saw in Bombay so the time between infection and cash out is really long so most of the time

you're not going to have access to kind of logs or anything like that and so the origin is really really difficult to discover and yeah it kind of creates a lot of mysteries for people who investigating in terms of intrusion vectors so this was a mystery up until pretty recently and even then it's only been a couple cases that were that were kind of covered in the recent Department of Justice indictment and some of the spear phishing emails were kind of shown in there for a couple cases but really for the most part like I said because the infections happen so so much longer ago and they're usually not discovered in the network so much so much later we

don't really know what the where the infection came from one interesting point is that the the watering holes which I haven't mentioned in this presentation but we have kind of blogged about and stuff so watering holes in our for 2016 and these we found them targeting financial regulators in Poland and Mexico so the interesting part about this is that they had IP whitelist because they didn't want just anyone getting infected so they had IP whitelist and it has whole list of organizations on them and banco de chile actually shows up on one of those white lists but it's still unclear if it was actually connected that was that would have been 19 months before the actual

before the actual attack so we're not sure if the watering hole was actually the intrusion vector but an interesting point that they were thinking so far ahead so next one is really interesting and kind of terrifying so the access to the Swift Alliance access server so we again we've been investigating these for for over two years now and Swift has been also obviously implementing new controls and kind of trying to respond to these these threats and these intrusions but every time they implement new controls it seems like pretty much like child's play for Lazarus to kind of circumvent those and they don't seem to have any trouble oh really so the theory is which again totally speculation but

might have access to a live Swift server either through compromise or some other way but basically there that seems to be the only explanation for them being able to keep up so so easily and without having any of these new controls deter their deter their attacks another thing is the wiper acquisition and distribution so acquisition this I mean so there was a ransomware that was used in the Taiwan heist called Hermes and this one there is there are similar versions of the of the ransom more out there but this particular version was only seen being used by Lazarus but because of the overlaps we suspect it might be a shared tool or purchase tool and again with their use of MB our

killer in banco de chile it's it's possible that these are just commercial kind of off the shelf tools and they may customize them a little bit but it looks like they have kind of just easy access to to these whether they're buying them or or finding them so this is probably something we'll keep seeing but again we don't actually know where they where they come from but it's a low-cost kind of high-impact way of advancing their their attacks distribution is an interesting point for mb our killer in particular we don't actually know how they managed to get all of that wiper to across all the machines on the network kind of at the same time there's no

evidence of worm-like propagation it still seems pretty unclear but because of their access again we assume this could be due to some kind of built-in Windows functionality or kind of through through deploying tools the tool as an update or something that will basically be able to impact the entire network at the same time just by leveraging legitimate legitimate processes and lastly where does the money go so this is a pretty interesting one and kind of out of our jurisdiction a little bit I don't really do money laundering mostly just look at the intrusions but since Bangladesh and up until cosmos in between there's been pretty you know very kind of few insights into what happens to all those millions so in the

Philippines for the Bangladesh bank heist they definitely laundered that money through casinos but because there are the casinos are exempt from reporting you know that kind of activity in that jurisdiction so really it kind of ended up being a dead end and likely the theory is that you know again because they have mules everywhere which we kind of saw evidenced by the ATM cashout for cosmos that they're using kind of criminal networks local criminal that to kind of get the money out and it's likely just being funneled to places where there where kind of a they operate again how people get the funds this is still this is still really new the ATM cashout is something that is gonna is

something I'm trying something new and it seems to be a pretty successful compared to compared to the Bangladesh Bank heist and yeah so that's the mystery about money I'm still working on that for a wrap up I just want to look at a couple kind of conclusions again like I said these targeted intrusions haven't been slowing down if anything they're increasing getting they're getting bold even more than before so this is something that definitely should be looked out for and I think the important thing to note here is again cosmos being a good example of the overlap between a financial crime and and cyber operations so there's multiple kind of aspects to this to these attacks

diversify and techniques I keep mentioning the cash out but this is actually it pretty new they did try that but two days later you can see them reverting back to their old kind of their old habits which is the Swift transactions because getting money out of the system is probably one of the harder parts arguably more more difficult than the actual intrusions themselves because those seem to be pretty pretty easy for them but getting that money out of the system has been tricky and especially because with decision is such a hot topic now and people are paying a lot of attention so this is a much more decentralized way of doing that but because the payout is so

good and you know you can take millions out of at one time we kind of anticipate seeing Swift targeted more more just as much like I said I just mentioned the the tools that they've used again nest egg sort of them pretty well for a couple years it's really kind of advanced you know back door and I was doing well they've kind of implemented a bit a bit of a new tool set now and we've seen catch-22 used in kind of multiple intrusions they're still really invested and developing so I wouldn't be surprised if they got even more creative so I do want to mention that with these wipers especially the nature of these attacks

is getting more aggressive and though they're just using them kind of as a diversion and to cover up the heist themselves and it's not really investing much in the wipers themselves considering they've probably just grabbed them again commercially they're they're really playing with fire so I don't think they have quite got the hang of controlling them but again that's not really their problem because it has the kind of does the job that they wanted to do but for the bank's this is quite impactful and again banks networks going offline for that long and creating accessibility issues this is kind of a severe hit to the financial system potentially if they get worse yeah so like I said there's been a lot more

attention on Swift controls and kind of improving those defenses that being said not only have they been able to circumvent those but also it still leaves national banks vulnerable and again if you look at their targeting in terms of which banks they're going after regionally some of these will not have as good not have as good security and so this is like this is pretty advantageous for them to continue targeting and there's obviously a whole long list and they are in kind of multiple banks at the same time around the world and one of the other things that we don't really know is kind of when you know when they're going to when they're going to

kind of stage those heists doing recon for months and months and you know with one Galatia Bank we saw kind of the the timing over the weekend it was really coordinated and there was a whole there was a big reason for why they did it that way and those particular dates but with the kind of increased attacks that we see now there isn't really any rhyme or reason that I've seen so far doing basically doing pretty well that's pretty much all I have so thanks for listening and if you have any questions let me know [Applause]