Menu
Shared malware code links SWIFT-related breaches at banks and North Korean hackers

Shared malware code links SWIFT-related breaches at banks and North Korean hackers

The malware used to steal $81 million from Bangladesh Bank has links to the 2014 attack on Sony Pictures

Malware links suggest that North Korean hackers might be behind recent attacks against several Asian banks, including the theft of US$81 million from the Bangladesh central bank earlier this year.

Security researchers from Symantec have found evidence that the malware used in the Bangladesh Bank cyberheist was used in targeted attacks against an unnamed bank in the Philippines. The same malware was also previously linked to an attempted theft of $1 million from Tien Phong Bank in Vietnam.

Symantec confirmed the earlier findings of researchers from BAE Systems who found code similarities between the Bangladesh Bank malware, which was used to modify SWIFT transfers, and the malicious program used in attacks against Sony Pictures Entertainment in December 2014.

The U.S. government attributed the Sony attack to North Korea. FBI Director James Comey said last year he had "very high confidence" in that attribution despite denials from the North Korean government and the skepticism of some security researchers.

The hacker group behind the Sony attack is known in the computer security industry as Lazarus and has been active since at least 2009, primarily targeting organizations from the U.S. and South Korea. One of the malware programs in the group's toolset is called Backdoor.Contopee.

"Symantec has identified three pieces of malware which were being used in limited targeted attacks against the financial industry in South-East Asia: Backdoor.Fimlis, Backdoor.Fimlis.B, and Backdoor.Contopee," the Symantec researchers said in a blog post.

Backdoor programs provide unauthorized access to a computer, but their presence doesn't necessarily reveal the attackers’ end goal. However, the motivation for those targeted attacks became clearer when similar code was found in Trojan.Banswift, which was used in the Bangladesh attack to manipulate SWIFT transactions, and earlier versions of Backdoor.Contopee, the researchers said.

The primary link is a portion of code that wipes files using a unique routine. It is shared by Trojan.Banswift and Backdoor.Contopee.

The file-wiping code has not been found in other malware programs, and Backdoor.Contopee was used by Lazarus in targeted attacks against banks in the region. Those connections led the Symantec researchers to believe Trojan.Banswift was also created by the same group.

"The discovery of more attacks provides further evidence that the group involved is conducting a wide campaign against financial targets in the region," the Symantec researchers say.

The announcement comes after a Bloomberg report that up to a dozen banks from Southeast Asia have hired security firm FireEye to investigate potential security breaches and SWIFT irregularities on their networks.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Events

Featured

Slideshows

Channel kicks 2021 into gear as After Hours returns to Auckland

Channel kicks 2021 into gear as After Hours returns to Auckland

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Pantry at Park Hyatt in Auckland to kick-start 2021.

Channel kicks 2021 into gear as After Hours returns to Auckland
The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

The leading female front runners of the New Zealand ICT industry joined together for the annual Reseller News Women in ICT Awards event at the Hilton in Auckland, during which hundreds of guests celebrated 13 outstanding individuals who won awards, chosen from more than 50 finalists representing over 30 organisations.

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards
Show Comments