Busy North Korean hackers have new malware to target ATMs

Lazarus, once considered a ragtag group of hackers, is now among the world’s most active.

Dan Goodin – Sep 23, 2019 4:13 pm | 16

ATM in the Indian city of Jaipur. Credit: PeS-Photo / Flickr

Hackers widely believed to work for North Korea’s hermit government have developed a new strain of malware that steals data used at automatic teller machines in India, researchers from Kaspersky Lab said on Monday.

One piece of malware, dubbed ATMDtrack by researchers with the Moscow-based security firm, has been targeting Indian ATMs since last summer. It allows its operators to read and store data associated with cards that are inserted into infected ATMs. As researchers with the Moscow-based security firm investigated further, they found that the ATM malware was part of a larger remote-access trojan that carries out traditional espionage activities. Dubbed “Dtrack,” it was used as recently as this month to target financial institutions and research centers.

Dtrack payloads were carefully encrypted with utilities known as packers, which made it hard for researchers to forensically analyze the malware. As the researchers analyzed the memory of infected devices, they found that both ATMDtrack and Dtrack shared unique code sequences. When company researchers peeled away the layers of encryption and began analyzing the final payload, they saw pieces of code that were first used in a 2013 attack that wiped the hard drives of South Korean banks and broadcasters. The campaign, known as DarkSeoul, was eventually tied to Lazarus Group, the main hacking arm of the North Korean government.

Not your father’s ATM malware

“When we first discovered ATMDtrack, we thought we were just looking at another ATM malware family, because we see new ATM malware families appearing on a regular base [sic],” Kaspersky Lab researcher Konstantin Zykov wrote in a post published Monday. The reused code made clear that Dtrack and ATMDtrack were actually the work of the same group of hackers behind the 2013 attack that wreaked havoc on South Korea.

Lazarus first landed on the radar of many security researchers following the destructive hack on Sony Pictures in late 2014. Once considered a ragtag ensemble of hackers, the group has risen to prominence over the years with a series of lucrative hacks involving the SWIFT payment network used by banks.

A wide variety of researchers and analysts say Lazarus was also behind the WannaCry ransom worm that shut down computers around the world in 2017. News agencies including Reuters have cited a United Nations report from last month that estimated North Korean hacking has generated $2 billion for the country’s weapons of mass destruction programs. The Trump administration sanctioned people associated with Lazarus and the two of its subgroups 10 days ago.

The more than 180 samples of Dtrack Kaspersky Lab has found circulating in the wild demonstrate yet another campaign of this now-prolific hacking group. The discovery of the malware in 2018 and the use of it as recently as this month suggest that Dtrack is a new addition to the growing Lazarus toolset. Samples analyzed by Kaspersky Lab include the following capabilities:

keylogging
retrieving browser history
gathering host IP addresses, information about available networks and active connections
listing all running processes
listing all files on all available disk volumes

Monday’s post demonstrates a previously unknown capability of this already prolific group.

“The vast amount of Dtrack samples that we were able to find shows that the Lazarus group is one of the most active APT groups in terms of malware development,” Zykov wrote. “They continue to develop malware at a fast pace and expand their operations.”