A group of hackers suspected of being related to North Korea invade a company that plays an inter-bank network using 'job advertisement'

by Brian Klug

It became clear that the international hacker group Lazarus group (HIDDEN COBRA) , which is considered to be related to North Korea, invaded the network of companies that interconnect Chilean ATM infrastructure in late December 2018 It was. It is reported that the method used by hackers was "job advertisement" and "call by Skype".

[EXCLUSIVO] Así fue el intento de ciberataque a Redbanc en diciembre - TrendTICTrendTIC
http://www.trendtic.cl/2019/01/exclusivo-asi-fue-el-intento-de-ciberataque-a-redbanc-en-diciembre/

North Korean hackers infiltrate Chile's ATM network after Skype job interview | ZDNet
https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/

The Lazarus group is known for doing DDoS attacks targeting the Korean government, and performing cyber attacks targeting financial institutions such as banks and virtual currencies. It is said that North Korea is involved behind the Lazarus group, but there is still no confirmation that North Korea is the masterpiece.

In late December 2018, an incident occurred that the Lazars group hacker invaded the computer network of " Redbanc ", a company that is responsible for Chile's interbank network and ATM interconnection. Originally, the Lazarus group did not publish the case, but Felipe Harboe , Chilean senator, tweeted about the case on Twitter, revealing hacking to Redbanc.

Me informan que a fines de diciembre @ redbanc sufrió ataque informático a su red de interconexión bancaria. Sería bueno que la empresa transparentara magnitud, riesgos y medidas de control de tal ataque

- Felipe Harboe B (@ felipeharboe) January 8, 2019

After that, Redbanc acknowledged that there was a hacking attack, that this attack was due to the Lazarus group via the media, etc. "job advertisement" posted on LinkedIn of business specialized type SNS is hacked It became clear that it was a clue. A recruitment company that appears to be behind the Lazarus Group posted fake job advertisements on LinkedIn and he seems to have been waiting for applicants eligible for the target to apply for recruitment.

As a Redbanc employee applied for it, the hacker made Skype calls to employees in Spanish. The hacker who won the trust by this will ask the employee to run the program "ApplicationPDF.exe". The program was camouflaged as a tool to create a resume necessary for the recruitment process and the employee was executing the program without doubt because it was not caught by antivirus software as well.

However, according to the analysis by Flashpoint which is an intelligence service company in the United States, ApplicationPDF.exe said that the malware used for past attacks by the Lazarus group " PowerRatankba " was installed. This malware collects information about employee's work PC and is said to have sent it to the remote server.

Redbanc's computer network infected with malware, Redbanc said, "Since the monitoring system detected abnormal behaviors in the network, threats were prevented and there was no major impact on the ATM network," I explain.

by Burst