Lazarus conducting new attacks against financial institutions across Latin America

• Lazarus successfully planted its backdoor into several machines operated by Latin American financial organizations.
• The backdoor is capable of stealing files, downloading additional malware, deleting files, running in passive mode, and more.

The North Korean hacker group Lazarus has turned its attention to financial institutions in Latin America. The hacker group gained notoriety for its attacks on high-profile targets like Sony and the Bangladesh Bank. However, the group continues to persistently evolve and conduct heists across the globe.

In its most recent campaign, Lazarus was spotted successfully implanting its backdoor into several machines operated by Latin American financial organizations. According to Trend Micro researchers, who uncovered the new attacks, Lazarus’ new campaign began in September.

The backdoor used by Lazarus in the new campaign is capable of stealing files, downloading additional malware, deleting files, running in passive mode, and more.

“Once the backdoor is loaded, it will then load the encrypted configuration file Auditcred.dll.mui/rOptimizer.dll.mui to extract the C&C information and connect to it,” Trend Micro researchers said in a blog. “The connection is necessary for conducting activities; and based on the backdoor’s functions, these actions could be quite damaging to targets.”

What makes the backdoor hard to detect is that while the configuration file and the loader component of the backdoor are located in the same directory, the encrypted backdoor is located in a different directory.

“The Lazarus group is an experienced organization, methodically evolving their tools and experimenting with strategies to get past an organization’s defenses. The backdoors they are deploying are difficult to detect and a significant threat to the privacy and security of enterprises, allowing attackers to steal information, delete files, install malware, and more,” Trend Micro researchers said. “The complexity and the capabilities of these backdoors present a tough problem for the targeted organizations. It is a sophisticated attack that needs equally sophisticated security solutions.”