Friday, December 8, 2023

Lazarus Hackers Group Attack Financial Organizations using a Powerful Backdoor

Widely active cyber criminal group Lazarus targeting financial organizations across Latin America by installing a backdoor into the targeting systems.

Same hacking groups already targeted various financial organization around the world using various advanced tools and techniques.

Recent activities by this Lazarus APT group hits the cryptocurrency exchanges using fake installer and macOS malware using variously sophisticated techniques.

Also, they breach bank networks and compromises the switch application servers handling ATM transactions in a very recent attack in this November.

Very recent attack detected in on September 19, 2018, from several machines that contain a backdoor which is already used in previous attack 2017 using a similar FileTokenBroker.dll.

New attacks method of launching, function, the loading component is very similar to both current and previous incidents.

How Does this Backdoor Works

There are 3 major components are involved with this backdoor’s in a current module that distributing the Lazarus cyber criminals groups.

Initially, a first component AuditCred.dll/ROptimizer.dll used to launch as a service, second component Msadoz<n>.dll is the main backdoor, Third component Auditcred.dll.mui/rOptimizer.dll.mui is an encrypted configuration file.

Loader installs its component in the different machine once it infects the targeted machine also it using different names such as AuditCred and ROptimizer on a different machine with the same capability.

Second component Msadoz<n>.dll load & encrypted to act as the main backdoor into memory.

According to Trend Micro report, if successfully installed, this particular backdoor poses quite a threat to its target. It is capable of the following functions:

  • Collect file/folder/drive information
  • Download files and additional malware
  • Launch/terminate/enumerate process
  • Update configuration data
  • Delete files
  • Inject code from files to other running process
  • Utilize proxy
  • Open reverse shell
  • Run in passive mode — instead of actively connecting to the command and control (C&C) server, the backdoor will open and listen to a port then receive commands through it.

Once the backdoor successfully launched then the configuration file will connect to the command & control server in order to perform various malicious activities and share the stolen data.

The backdoors they are deploying are difficult to detect and a significant threat to the privacy and security of enterprises, allowing attackers to steal information, delete files, install malware, and more. Researchers said.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can check the Vulnerability Management Analysis to keep your self-updated.

Website

Latest articles

Exploitation Methods Used by PlugX Malware Revealed by Splunk Research

PlugX malware is sophisticated in evasion, as it uses the following techniques to avoid...

TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities

Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative...

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been...

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in...

Reflectiz Introduces AI-powered Insights on Top of Its Smart Alerting System

Reflectiz, a cybersecurity company specializing in continuous web threat management, proudly introduces a new...

SLAM Attack Gets Root Password Hash in 30 Seconds

Spectre is a class of speculative execution vulnerabilities in microprocessors that can allow threat...

Akira Ransomware Exploiting Zero-day Flaws For Organization Network Access

The Akira ransomware group, which first appeared in March 2023, has been identified as...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Endpoint Strategies for 2024 and beyond

Converge and Defend

What's the pulse of Unified Endpoint Management and Security (UEMS) in Europe? Join us live to uncover the strategies that are defining endpoint security in the region.

Related Articles