Lazarus Group Uses KillDisk as a Distraction for SWIFT Attacks

What Is It?

The activities of the Lazarus Group, also known as Hidden Cobra, have been the subject of a previous Threat Report relating to its use of destructive malware. Recent reports regarding attacks on banks in Mexico and Chile describe Lazarus as continuing to use destructive malware as part of their threats.

On May 24, computers located in branches and offices of Chile’s largest bank, Banco de Chile, rebooted and displayed a system message that there was no valid disk to boot from. It is believed this occurred to approximately 9,000 Windows computers and 500 Windows servers. Subsequent investigations determined the cause was a variant of the KillDisk destructive malware, which had destroyed the master boot record (MBR) on these systems, rendering them unbootable.

However, making these systems unusable was not the primary objective of this attack. The destructive malware was used, very effectively, as a distraction, while the attackers compromised bank systems related to the SWIFT interbank transfer network. In this case, the attackers were successful in transferring approximately $US10 million.

This is the same attack profile of an attempted theft of $110 million from Mexico’s state-owned trade bank, Bancomext in January 2018. In April 2018, attacks on three Mexico banks attempted to compromise SPEI, Mexico’s own interbank electronic transfer system.

Destructive malware attacks have been increasing since 2017.

The malware itself is very straightforward and focused in purpose. It gains access to each physical hard drive on the system and overwrites the first 512 bytes of the beginning of the disk with hex zeroes. The malware contains no command-and-control (C2) functionality or any worm like self-propagation capability. It uses VMProtect, an executable protector, which makes it difficult to deter the sample’s true purpose when reverse engineered.

Distraction is a tactic used by adversaries and is still effective in the cyber security realm. Even large financial organizations have a finite number of IT and cyber security resources, a fact these and other attackers leverage. While resources are completely allocated attempting to identify, contain and mitigate the source of the systems failures, the attackers target the SWIFT systems and attempt to gain access and make unauthorized transfers. Previously attackers have routinely used distributed denial of service (DDoS) attacks as a distraction. However, a destructive malware distraction is even more insidious, given the additional time and both monetary and reputational costs of a public service outage and returning affected systems to operation.

How Does It Propagate?

As described, the malware does not contain the necessary code to self-propagate. The initial infection vector of these attacks is not currently publicly known, though previously these attackers have compromised corporate networks by compromising remote access tools.

When/How Did BluVector Detect It?

Two samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected both. Regression testing has shown the samples would have been detected an average of 52 months prior to their release.

All Threat Reports