@iageely
Kaspersky Lab revealed the results of its investigations, which lasted for more than a year, into the activity of the “Lazarus” gang responsible for stealing $81 million from the Central Bank of Bangladesh in 2016. During the forensic analysis of some evidence left by the electronic gang in banks located in Southeast Asia In Europe, Kaspersky Lab was able to gain a deep understanding of the malicious tools and modus operandi used by the gang while attacking financial institutions, developers of software for investment companies and institutions using cryptocurrencies around the world. The information gathered helped tackle at least two other gangs whose aim was to steal huge sums of money from financial institutions. On the other hand, hackers tried to steal 851 million US dollars and managed to transfer 81 million US dollars from the Central Bank of Bangladesh. This was considered one of the largest and most successful cyber thefts ever. Based on the results of the forensic analysis of these attacks, Kaspersky Lab researchers were able to decipher the modus operandi of this gang.
• First hack: An individual system within a bank is hacked either using weak code that can be accessed remotely (ie on a web server) or through a Watering Hole attack?
• Completion of mining the victim's device with malware, as the gang then moves to host environments of other banks and publishes the continuous infiltration program from the back door.
• Internal reconnaissance, the gang may spend days or weeks learning how the network works and identify valuable resources. • Spreading malware and stealing money: Although the attackers were careful enough to remove any trace of their existence, there was at least one server that the gang hacked to use for Another attack. This server contained a critical error and another important piece of evidence that the gang left behind. During the preparation of the operation, the server was defined as the command and control center of the malware. The connection made on the day of the server identification was sourced back to a number of VPN servers, indicating a test period for the command and control server. However, there was one brief connection to it that came from a very rare IP address pool in North Korea.
Ibrahim Aqili (Jeddah)