TAIWAN HEIST: LAZARUS TOOLS AND RANSOMWARE
Contents
BACKGROUND
Reports emerged just over a week ago of a new cyber-enabled bank heist in Asia. Attackers targeting Far Eastern International Bank (FEIB), a commercial firm in Taiwan, moved funds from its accounts to multiple overseas beneficiaries. In a story which reminds us of the Bangladesh Bank case – the culprits had compromised the bank’s system connected to the SWIFT network and used this to perform the transfers.
In recent days, various malware samples have been uploaded to malware repositories which appear to originate from the intrusion. These include both known Lazarus group tools, as well as a rare ransomware variant called ‘Hermes’ which may have been used as a distraction or cover-up for the security team whilst the heist was occurring.
The timeline below provides an overview of the key events:
ANALYSIS
Several files have been uploaded to malware databases which appear to be related to this attack, including an archive titled “FEIB_Samples” submitted …
Reports emerged just over a week ago of a new cyber-enabled bank heist in Asia. Attackers targeting Far Eastern International Bank (FEIB), a commercial firm in Taiwan, moved funds from its accounts to multiple overseas beneficiaries. In a story which reminds us of the Bangladesh Bank case – the culprits had compromised the bank’s system connected to the SWIFT network and used this to perform the transfers.
In recent days, various malware samples have been uploaded to malware repositories which appear to originate from the intrusion. These include both known Lazarus group tools, as well as a rare ransomware variant called ‘Hermes’ which may have been used as a distraction or cover-up for the security team whilst the heist was occurring.
The timeline below provides an overview of the key events:
ANALYSIS
Several files have been uploaded to malware databases which appear to be related to this attack, including an archive titled “FEIB_Samples” submitted …
IoC
b27881f59c8d8cc529fa80a58709db36
[email protected]
[email protected]
rule Hermes2_1 {
meta:
date = "2017/10/11"
author = "BAE"
hash = "b27881f59c8d8cc529fa80a58709db36"
strings:
$magic = { 4D 5A }
//in both version 2.1 and sample in Feb
$s1 = "SYSTEM\\CurrentControlSet\\Control\\Nls\\Language\\"
$s2 = "0419"
$s3 = "0422"
$s4 = "0423"
//in version 2.1 only
$S1 = "HERMES"
$S2 = "vssadminn"
$S3 = "finish work"
$S4 = "testlib.dll"
$S5 = "shadowstorageiet"
//maybe unique in the file
$u1 = "ALKnvfoi4tbmiom3t40iomfr0i3t4jmvri3tb4mvi3btv3rgt4t777"
$u2 = "HERMES 2.1 TEST BUILD, press ok"
$u3 = "hnKwtMcOadHwnXutKHqPvpgfysFXfAFTcaDHNdCnktA" //RSA Key part
condition:
$magic at 0 and all of ($s*) and 3 of ($S*) and 1 of ($u*)
}
[email protected]
[email protected]
rule Hermes2_1 {
meta:
date = "2017/10/11"
author = "BAE"
hash = "b27881f59c8d8cc529fa80a58709db36"
strings:
$magic = { 4D 5A }
//in both version 2.1 and sample in Feb
$s1 = "SYSTEM\\CurrentControlSet\\Control\\Nls\\Language\\"
$s2 = "0419"
$s3 = "0422"
$s4 = "0423"
//in version 2.1 only
$S1 = "HERMES"
$S2 = "vssadminn"
$S3 = "finish work"
$S4 = "testlib.dll"
$S5 = "shadowstorageiet"
//maybe unique in the file
$u1 = "ALKnvfoi4tbmiom3t40iomfr0i3t4jmvri3tb4mvi3btv3rgt4t777"
$u2 = "HERMES 2.1 TEST BUILD, press ok"
$u3 = "hnKwtMcOadHwnXutKHqPvpgfysFXfAFTcaDHNdCnktA" //RSA Key part
condition:
$magic at 0 and all of ($s*) and 3 of ($S*) and 1 of ($u*)
}