The advanced persistent threat group Lazarus with North Korean links has been observed using a modular backdoor during last week to compromise a series of Latin American financial institutions by Trend Micro's Lenart Bermejo and Joelson Soares.
As unearthed by the Trend Micro research team , the APT38 threat group successfully compromised a number of computing systems owned by multiple financial institutions from Latin America.
Lazarusused a backdoor malware to infiltrate their targets, with the malicious tool being discovered on the impacted systems sometimeduring last week.
Moreover, according to Trend Micro, Lazarus' backdoor was planted on the Latin American financial institutions' computers onSeptember 19, based on the creation time of the services it started once it managed to compromise its targets.
Lazarus' backdoor used three different components to completely own its targets, with the AuditCred.dll/ROptimizer.dll being the loader launched as a service,Msadoz.dll being the actual encrypted backdoor malware, andAuditcred.dll.mui/rOptimizer.dll.mui the malware's encrypted configuration file.
"The loader DLL is installed as a service and uses different names (AuditCred and ROptimizer) on different machines," said Trend Micro in their analysis. "However, they still have the same capabilities and are essentially the same file. Its purpose is to load Msadoz.dll in order to decrypt and execute it in memory."The Lazarus backdoor can download additional malware on compromised systems
Once Lazarus' backdoor managed to infiltrate financial institutions' computing systems, it could perform an extensive range of tasks from collecting system info, opening reverse shells, and downloading additional malware to deleting local files, updating its configuration, manage local processes, and injecting code into already running processes.
Trend Micro also noticed that the APT38 backdoor also used a convoluted storage setup designed to obfuscate its presence and make removal as hard as possible, with the loader being stored in one location and the encrypted backdoor being holed up somewhere else on the drive.
This new Lazarus attack campaign discovered by Trend Micro is just as sophisticated as all the others the APT group was involved in, with highly complex malware tools designed to avoid detection and, when possible, render their victims computing systems unusable after successfully stealing funds or exfiltrating the data it targets.
Until now, Lazarus has been observed while conducting highly complicated operations within at least 11 countries around the globe according to FireEye and they've demonstrated their willingness to go as far as possible if necessary, by destroying all tracks left behind and even rendering the networks they attack inoperable if the situation requires it.