Evidence of Stronger Ties Between North Korea and SWIFT Banking Attacks
Contents
Five new additional pieces of malware code discovered that contain unique portions of code related to the the SWIFT attacks.
Recently, malware analysts at Symantec discovered two subroutines that were shared amongst North Korea’s Lazarus’ groups Operation Blockbuster malware and two samples of malware from the recent SWIFT attacks.
The shared subroutines are displayed as evidence to relate the SWIFT intrusion activity to the Lazarus group. Symantec’s analysis was utilized in the The New York Times story on May 27, 2016. Their findings supported a claim that these were the only two pieces of software with this shared code.
The Anomali Labs team has conducted deeper research into a very large malware data repository. This process utilized the yara signature below to search for the shared subroutines. At first, we believed it would produce a lot of false positives. Instead, this search not only failed to result in any false positives, but also …
Recently, malware analysts at Symantec discovered two subroutines that were shared amongst North Korea’s Lazarus’ groups Operation Blockbuster malware and two samples of malware from the recent SWIFT attacks.
The shared subroutines are displayed as evidence to relate the SWIFT intrusion activity to the Lazarus group. Symantec’s analysis was utilized in the The New York Times story on May 27, 2016. Their findings supported a claim that these were the only two pieces of software with this shared code.
The Anomali Labs team has conducted deeper research into a very large malware data repository. This process utilized the yara signature below to search for the shared subroutines. At first, we believed it would produce a lot of false positives. Instead, this search not only failed to result in any false positives, but also …
IoC
0b9bf941e2539eaa34756a9e2c0d5343
138464214c78a73e3714d784697745acbf692ef40419d31418e4018e752cb92b
1d0e79feb6d7ed23eb1bf7f257ce4fee
24d76abbc0a10e4c977a28b33c879248
4d4b17ddbcf4ce397f76cf0a2e230c9d513b23065f746a5ee2de74f447be39b9
558b020ce2c80710605ed30678b6fd0c
5a85ea837323554a0578f78f4e7febd8
5d0ffbc8389f27b0649696f0ef5b3cfe
909e1b840909522fe6ba3d4dfd197d93
96f4e767aa6bb1a1a5ab22e0662eec86
138464214c78a73e3714d784697745acbf692ef40419d31418e4018e752cb92b
1d0e79feb6d7ed23eb1bf7f257ce4fee
24d76abbc0a10e4c977a28b33c879248
4d4b17ddbcf4ce397f76cf0a2e230c9d513b23065f746a5ee2de74f447be39b9
558b020ce2c80710605ed30678b6fd0c
5a85ea837323554a0578f78f4e7febd8
5d0ffbc8389f27b0649696f0ef5b3cfe
909e1b840909522fe6ba3d4dfd197d93
96f4e767aa6bb1a1a5ab22e0662eec86