Analysts find connection between North Korean military and crimeware organization TrickBot

Researchers with SentinelLabs say they have found one of "the first known links between cybercrime groups and nation-state actors."

North Korea is likely underwriting cyber-attacks by mining Monero

Cybersecurity analysts at the newly formed SentinelLabs say they have found some of the first hard links between the crimeware organization TrickBot and Lazarus Group, the cyberwarfare division of the North Korean military's Reconnaissance General Bureau.

Since debuting in the fall of 2016 as a banking malware, Trickbot has evolved into an example of the burgeoning cybercrime-as-a-service movement, researchers found.

SentinelLabs lead cybersecurity researcher Vitali Kremez said TrickBot is "a flexible, universal, module-based crimeware solution" that "has been evolved to specifically attack corporations" using automation, decentralization and integration to increase the power of its attacks.

"Cybercrime groups like TrickBot, who offer their cybercrime-as-a-service to criminal entities with various goals and objectives, are always looking to break into new markets and find other hacking outfits to sell their malware kits to," Kremez said. 

"But because many nation-state groups rarely have monetary goals, it has been notable for TrickBot to gain a foothold in this arena. Evidence of them now being linked to previously to advanced persistent threat malware like Lazarus is indicative of a quantum shift in the world of cybercrime."

Lazarus Group Attacks

Last year the US Department of Justice released a 179-page indictment of 34-year-old Lazarus Group member Park Jin Hyok for dozens of attacks attributed to the North Korean group.

US officials said the attacks included the WannaCry ransomware outbreak of 2017, an attempted hack on Lockheed Martin in 2016, the daring 2016 Bangladesh Central Bank cyberheist, the Sony Pictures hack in 2014, breaches at AMC Theaters, and multiple attacks on South Korean news organizations, banks and military entities over the last decade.

"The facts set forth in this affidavit describe a wide-ranging, multi-year conspiracy to conduct computer intrusions and commit wire fraud by co-conspirators working on behalf of the government of the Democratic People's Republic of Korea, commonly known as 'DPRK' or 'North Korea,' while located there and in China, among other places," FBI agent Nathan Shields wrote. 

"The conspiracy targeted computers belonging to entertainment companies, financial institutions, defense contractors, and others for the purpose of causing damage, extracting information, and stealing money, among other reasons."

Lazarus Group has been associated with other attacks on financial institutions across the world since 2015, and most recently, stole $10 million from Banco de Chile. This heist is what helped Kremez and his team connect Lazarus to TrickBot, he said. 

SEE: Special report: Cyberwar and the future of cybersecurity (free PDF) (TechRepublic Premium)

In a lengthy study and corresponding blog post, SentinelLabs researchers Joshua Platt, Jason Reaves and Kremez explained the sophistication and power of both Lazarus Group and TrickBot while detailing the newfound links between the two.

"The ability to seamlessly integrate the advanced persistent threat into a monetization business model is evidence of a quantum shift. 

"By accomplishing this integration, TrickBot overtly demonstrates that they have achieved a qualitatively new level of a cybercrime enterprise, which was never seen before in magnitude and complexity superseding and dethroning the legacy of its previous inspirations and its playground known as 'Business Club.'"

TrickBot initially focused its energy primarily on attacking Australian banks but moved on to hit financial institutions in New Zealand, the United Kingdom, Germany and Canada. What makes TrickBot so effective is its ability to add more capabilities and evolve, researchers said.

By 2017, Kremez said the malware had advanced automation built into it, allowing for "worm-like spreading within the network after the initial infection."

The SentinelLabs labs report said TrickBot was able to "Uberize" its work by essentially "subletting" its tools to other groups attempting to perform different kinds of hacks, using a combination of other malware including highly infective Emotet, IcedID/BokBot and Gozi ISFB v2."

"TrickBot and its modules acted in the following major ways: a perfect information stealer grabbing personal information, which was then sold on the underground and used privately, a banker, stealing corporate data which monetized through account takeover and card fraud, a distributor, delivering ransomware, and a cryptominer," the report added.

"Decentralization created a flexible business model, where TrickBot offered attack tools to vetted vendors and used the tools of others to increase the infectivity. In blurring the lines between breaches, data theft, ransomware, and cyber fraud, the group has almost reached the pinnacle, and almost united the cybercrime territories. However, there was one final challenge separating TrickBot from perfection — the advanced persistent threats."

Project Anchor

The SentinelLabs report said normally, TrickBot developers would have no reason to perform the kind of advanced persistent threat attacks that military groups engage in. Military operations generally aim to infiltrate systems and stay hidden so they can gain as much information as possible for as long as possible. 

But Kremez said that for the last 18 months, Lazarus Group members have been empowered by their superiors within the North Korean military's "Bureau 121" to attack cryptocurrency exchanges, financial institutions, non-governmental organizations and South Korean individuals. 

"Many North Korea cyber operators are likely not only self-funded but also tasked with earning income for the North Korean regime; Lazarus Group has likely targeted banks cryptocurrency exchanges and users to achieve this goal," Platt, Reaves and Kremez write in the blog post.

The two became united in a TrickBot project named "Anchor." The SentinelLabs report describes the project as a jack-of-all-trades hacking toolkit, giving users "an all-in-one attack framework designed to compromise enterprise environments using both custom and existing toolage."

TrickBot was able to make a name for itself on the cybercrime scene by being flexible and customizing their tools for specific clients. Anchor is another step forward for the group, giving their customers a "complex and stealthy tool for targeted data extraction from secure environments and long-term persistency."

"Logically, this tool will be a very tempting acquisition for high-profile, possibly nation-state groups. However, the Anchor is also used for large cyber heists and point-of-sale card theft operations leveraging its custom card scraping malware. Among the nation-state groups, only a few are interested in both data collection and financial gain, and one of them is Lazarus," the report said.

In an interview, Kremez said his team found first-of-its-kind technical evidence connecting the Lazarus tool "PowerRatankba" to the TrickBot "Anchor" project infrastructure, among dozens of other pieces of evidence. 

Kremez pointed back to the Banco de Chile heist, saying that his team found evidence of Lazarus using the TrickBot Anchor infrastructure to deploy their "PowerRatankba" tool within hours of the bank heist.

"The integration of these tools into the Anchor implies that TrickBot was able to overcome the final barrier in integrating different domains into its model. By integrating the advanced persistent threat approach to its model, the group turned its enterprise into a holistic ecosystem of cybercrime, becoming an essentially new phenomenon," the report said. 

"In this ecosystem, crimeware and advanced persistent threat are no longer siloed; on the opposite, each type of crime creates added value for the other, each becomes a force multiplier."

Also see

Cybersecurity, computer hacker with hoodie

Getty Images/iStockphoto