31 reports
Hauri analyzes custom malware used in the Bangladesh Bank SWIFT theft, in which more than $100 million held at the U.S. Federal Reserve was illicitly withdrawn. The report says the malware was built for the targeted institution: it used Bangladesh Bank SW…
South Korean investigators said a North Korean hacking organization compromised a financial information security company, stole its code-signing certificate, and used it to make malware appear as legitimate software from that vendor. The intrusion began w…
Anomali Labs identified five additional malware samples that shared subroutines previously reported in SWIFT intrusion malware and Lazarus Group Operation Blockbuster tooling. The overlaps were found with a YARA search and position-independent code functi…
Symantec found that the group behind the Bangladesh Bank SWIFT theft and the attempted Tien Phong Bank transfer also deployed malware against a bank in the Philippines. The activity used tools including Trojan.Banswift and Backdoor.Contopee variants, with…
BAE Systems traced SWIFT-targeting bank malware into a wider campaign by identifying a unique file wipe-out function shared across samples tied to the Vietnam bank case and a newly found bot. The analyzed sample installed itself as a Windows service, used…
BAE Systems analyzed custom malware linked to the Bangladesh Bank SWIFT heist, where attackers attempted to transfer $951 million and $81 million remained unaccounted for. The malware was built for an environment running SWIFT Alliance Access with an Orac…
The excerpt summarizes reporting on the Bangladesh Bank SWIFT fraud, where authenticated SWIFT messages were used to attempt transfers totaling roughly $951 million and about $101 million was successfully stolen. It notes that a spelling error in a recipi…
Qihoo 360 described Operation OnionDog as a multi-year campaign observed from at least 2013 to 2015 against government entities, transportation companies, and energy industries, while stating it had not found a connection to Lazarus at that time. The acti…
Talos described defensive coverage work tied to Novetta’s Operation Blockbuster research on Lazarus Group, also referred to as Group 77. The underlying research connected multiple malware families to the same threat actor group and associated them with hi…
The excerpt analyzes a backdoor that receives command codes from a C&C server and can download and execute additional malware, run CMD commands, and control the infected PC. It persists by copying itself into a specific folder, generating a random service…
Novetta Operation Blockbuster documents Lazarus Group remote administration and content staging malware families uncovered during a broader industry investigation. The report explains the Romeo RAT families, Sierra spreaders, Joanap peer to peer staging c…
Blue Coat connects the Sony Pictures intrusion malware Destover to earlier destructive activity associated with the DarkSeoul or Silent Chollima threat complex. The report states that technical indicators link Sony to destructive events going back to at l…
Kaspersky describes Operation Blockbuster research linking malware used in the Sony Pictures attack to a wider Lazarus Group cluster spanning activity back to at least 2009. The report connects campaigns and malware families including Operation Troy, Dark…
A leaked digital certificate from a security vendor was abused to sign malware, exploiting trust in software used by financial institutions and public-sector organizations. The signed executable is described as a downloader that contacted an external serv…
CrowdStrike’s 2015 Global Threat Report assessed that DPRK-linked activity in 2015 shifted toward espionage rather than destructive operations, with most observed malware directed at Republic of Korea targets during periods of heightened inter-Korean tens…