A group of hackers behind a sophisticated campaign targeting financial organizations around the world intentionally planted evidence into their malware in an attempt to blame Russia.
Russian words used as a decoy by "Lazarus" to attribute bank attacks to Russia
Security researchers from BAE Systems have discovered false flags in a malware sample used in recent attacks against several Polish banks that were planted to unsuccessfully trick security experts into attributing their attack to Russia-based hackers. Researchers found multiple commands and strings that appear to have been transliterated into Russian using online tools.
"Once the bot has established communication with the remote C&C, it uses several transliterated Russian words to either indicate the state of its communication or issue backdoor commands," researchers said.
"In some cases the inaccurate translations have transformed the meaning of the words entirely," the research group said in a blog post. "This strongly implies that the authors of this attack are not native Russian speakers and, as such, the use of Russian words appears to be a 'false flag'."
Earlier in February, Symantec and BAE Systems reported that several banks in Poland had been infected with a new piece of malware. The security researchers obtained and analyzed additional malware samples of an attack campaign that has, in total, targeted 104 organizations from 31 different countries. Most of these organizations were banks. Poland bank attack campaign was also linked to this bigger campaign, which was tracked to Lazarus Group threat actor.
Lazarus is a sophisticated threat actor that has been active since 2009, targeting governments, military, journalists, aerospace, financial, and manufacturing organizations. The targets of this group have been predominantly in South Korea and the United States.
Lazarus Group was linked to the 2014 attack on Sony Pictures Entertainment, which the FBI and US intelligence agencies had blamed on North Korea. Following this, the $81 million Bangladeshi bank heist was also attributed to Lazarus last year.
Security experts often look for several factors that could wrongly attribute an attack since attackers add these false flags to blame other hackers and throw experts on a false lead. While Lazarus - which is currently being attributed to the bank jobs worldwide - added several false flags to make the malware seem like it was developed by Russian-speaking hackers, technical evidence leads the malware to Lazarus, researchers have said.
While it is not uncommon to see criminal threat actors trying to throw investigators off the track, the recent focus on Russian hackers following the 2016 US election could be a possible reason why Lazarus added Russian words in the malware.
"Clearly the group behind these attacks are evolving their modus operandi in terms of capabilities – but also it seems they’re attempting to mislead investigators who might jump to conclusions in terms of attribution," researchers added.