eu-17-Shen-Nation-State20Moneymules-Hunting-Season-APT-Attacks-Tar_sZ1gbHY.pdf (3 MB)

The presentation describes nation-state actors including Lazarus, Bluenoroff, and Andariel shifting into financially motivated operations against banks, ATM operators, and cryptocurrency exchanges. A March 2017 Bluenoroff case targeted employees of a top South Korean bank responsible for SWIFT operations, using spear-phishing and a hidden NamedPipe file-sharing feature in VDI software to move data from an internal segregated network to C2 infrastructure. The bank malware is identified as Manuscrypt, with files such as corems.dll and amanuv.dll searching for SWIFT-related hosts, activating the vmsal.exe named pipe path, collecting files, and posting data as multipart form submissions. The Andariel-linked VANXATM operation targeted a South Korean ATM operator, abusing an antivirus zero-day and ATM update-server weaknesses to deploy RAT and exfiltration components and leak card data from journal files. The cryptocurrency-exchange section describes phishing that impersonated Korean public institutions, malicious HWP attachments using Ghostscript, and mobile malware used to bypass SMS authentication during attacks on four South Korean exchanges.