asia-18-shen-kwak-jang-nation-state-moneymule-hunting-season-thursday.pdf (2 MB)

The Black Hat presentation links Lazarus, Bluenoroff, Andariel, and Reaper/APT37 to financially motivated and espionage-focused attacks against banks, cryptocurrency exchanges, ATM operators, defense, government, and South Korean users. It describes a March 2017 Bluenoroff intrusion into a top South Korean bank where spear-phishing and a VDI named-pipe file-sharing weakness allowed Manuscrypt components such as corems.dll and amanuv.dll to search for SWIFT-related hosts and move data toward C2 infrastructure. The Andariel-linked VANXATM case abused an antivirus zero-day and ATM update-server weaknesses, including unauthenticated updates and unencrypted FTP credentials, leading to large-scale card-data leakage from an ATM operator. The cryptocurrency-exchange campaign used phishing that impersonated public institutions, malicious HWP files leveraging Ghostscript behavior, stolen or attacker-created email accounts, and mobile malware to bypass SMS authentication.