group-ib-lazarus-arisen-threat-research-2018-en.pdf (6 MB)

Group-IB attributes a shift in Lazarus operations from espionage and destructive attacks against South Korean and U.S. targets toward attacks on banks and financial institutions worldwide. The report details the Bangladesh Central Bank SWIFT theft attempt, compromises affecting Polish banks, and targeting of financial regulators and government-agency websites for watering-hole delivery. Group-IB describes a three-layer command-and-control architecture using compromised servers, SSL-encrypted and additionally encrypted traffic, SoftEther VPN, multi-module malware, and masquerade artifacts intended to suggest Russian involvement. Infrastructure analysis identified control activity from IP addresses associated with North Korea or North Korean address space, including 175.45.178.222 and related Ghost RAT control addresses, though the report notes limits around precise location attribution.