Lazarus group suspected to be behind the attack against Chilean ATM network

• Lazarus group is suspected to be responsible for the recently disclosed cyber attack on the Chilean interbank network Redbanc.
• The attack involved PowerRatankba, a malware toolkit previously linked to the APT group hacks.

Redbanc is the company that interconnects the ATM infrastructure of all Chilean banks. In December 2018, Redbanc was hit by a massive cyber attack. Researchers suspect North Korea-linked advanced persistent threat (APT) group also known as Lazarus group to be behind the attack against Redbanc.

Researchers identified the source of the attack as a LinkedIn ad for a developer position at another company to which one of the Redbanc employees applied. The hiring company conducted the interview in Spanish via a Skype call. During the interview, the Redbanc employee was asked to download, install, and run an application form named ApplicationPDF[.]exe.

PowerRatankba malware as a payload

Researchers detected that the file downloaded and installed PowerRatankba, a malware strain previously linked to Lazarus Group hacks.

Researchers from Flashpoint described the dropper sample as a Microsoft Visual C#/ Basic .NET (v4.0.30319)-compiled executable that contains the logic to call the server and download a PowerRatankba PowerShell reconnaissance tool.

“Lazarus attacks appear to reportedly rely on social media and trusted relationships, which may elevate their abilities to execute and install their payloads,” Vitali Kremez of Flashpoint explained in a blog.

Kremez explained in the blog that once the PowerRatankba malware is installed, it collects information about the Redbanc employee's work PC such as PC’s username, hardware, OS details, proxy settings, list of current processes, and the status of its RDP connection. The collected information is then sent to a remote server.

“The collected information would have been able to tell the hackers what computer they infected, and later decide if they'd want to deliver a second stage payload in the form of a more intrusive PowerShell script,” Kremez wrote.