North Korea's Hidden Cobra Hackers Target Turkey With Bankshot Malware

North Korea-linked hacker group Hidden Cobra aka Lazarus appears to be gearing up for a new cyberheist. The hacking group is widely considered to be responsible for perpetrating the infamous Bangladesh Bank hack that saw over $80m stolen. Security experts recently identified a new campaign which saw Hidden Cobra hackers target financial organziations in Turkey.

The hacker group's new campaign saw the resurgence of the Bankshot malware, which was used to target Turkish government and private financial institutions. Security experts suspect the hackers aimed to access specific Turkish financial organizations and may be planning a heist.

According to security researchers at McAfee, who discovered Hidden Cobra's latest malicious activities, the new attack appears to be fairly similar to previous ones conducted by the North Korea-linked hacker group. The targeted organizations were lured into the attack via spear phishing emails that contained a malicious Microsoft Word document. The malicious document came with an Adobe Flash exploit, recently made public by the Korean Internet Security Agency, which allows hackers to execute arbitrary code, such as an implant.

“Further investigation into this campaign and analysis of McAfee product telemetry shows that the infection occurred on March 2 and 3. The implant’s first target was a major government-controlled financial organization,” McAfee researchers said in a blog. “It next appeared in another Turkish government organization involved in finance and trade. A further three large financial institutions in Turkey were victims of this attack. The implant has so far not surfaced in any other sector or country. This campaign suggests the attackers may plan a future heist against these targets by using Bankshot to gather information.”

The Bankshot malware is capable of wiping files and other content from an infected system. The malware has also been designed to stay hidden on a targeted system, providing attackers with the opportunity to expand their attack. McAfee researchers say that although Bankshot is not designed to conduct financial transactions, it allows hackers to access victims and also perform reconnaissance.

According to the US CERT, Hidden Cobra hackers have used Bankshot to target multiple sectors, including the financial sector. The malware, which is also known as Trojan Manuscript, has also been linked to a major Korean bank hack. This particular variant of the malware was capable of searching for hosts connected to the SWIFT global banking network and shares the same control server strings as the Bankshot malware variant found targeting Turkey's financial sector. Based on these connections, McAfee researchers believe the new campaign is the work of Hidden Cobra.

“We have found what may be an early data-gathering stage for future possible heists from financial organizations in Turkey (and possibly other countries). In this campaign, we see the adoption of a recent zero-day Adobe Flash vulnerability to get the implant onto the victim’s systems,” McAfee researchers said. “The campaign has a high chance of success against victims who have an unpatched version of Flash. Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal. This is the first time that Bankshot has been tied directly to financial-related hacking and the first time it has been used since November 2017.”