Lazarus Hackers Used Hermes Ransomware to Cover over Big Bank Heist
posted date: 03/11/2017
Facts indicate the notorious Lazarus Group, a hacking team considered to be functioning from North Korea, is behind the latest breach involving the Far Eastern International Bank (FEIB) in Taiwan.
The hack happened at the beginning of October when FEIB IT team detected rogue activities. Someone wired around $60 million to international banks situated in Cambodia, Sri Lanka, USA.
This event grabbed the attention of global press since it was the recent episode in a series of bank attacks that relied on criminals utilizing malware to take control over banks’ SWIFT accounts and exploit the inter-banking SWIFT system to initiate transactions and send money to other countries. A few of these episodes have been related to the tactics and procedures popular among the Lazarus Group.
Altogether experts discovered nine unique malware strains used in the FEIB heist. Three of those included characteristics of past Lazarus Group viruses, the rest four were Hermes ransomware parts.
Attackers have successfully used spear-phishing tactic to penetrate computer systems inside FEIB's environment. Fake email messages contained infected MS Office docs that planted malware on employee's PCs.
Once hackers mapped the network and marked machines that had authority to access secret information, they installed custom viruses. It happened on October 1. A couple days later, Lazarus made use of an employee's login credentials to get into the bank's SWIFT account in order to divert current money streams to several overseas banks.
Researchers mention the transactions were tagged with the MT202COV and MT103 codes, but the MT202COV code was applied inaccurately which helped the security team to discover the heist.
As soon as FEIB discovered the fake transactions, Lazarus team noticed it and installed the Hermes ransomware on the network to hold up any analysis. They encrypted and smashed all possible evidence of the intrusion.
Experts pointed out that the ransomware installation and execution was dodgy. The actual ransomware they employed was not the original Hermes ransomware but a customized strain.
The Hermes type used on FEIB's systems could not modify the compromised computer's desktop wallpaper and didn't create a fancy ransom note akin to the original Hermes note.
In general, this bank heist suits beautifully in Lazarus Group's traditional modus operandi and sticks to the similar routine of past SWIFT-based attacks.
[back to News updates]
13/05/2018 The revolutionary HNS botnet
03/11/2017 Lazaru Hackers Used Hermes Ransomware to Cover over Big Bank Heist
07/06/2009 iDump (Freeware) Build 29 Released
29/07/2007 We've moved to a new server...
23/06/2007 iDump Update Build24
01/01/2006 iDump gets a Small update.
08/10/2005 iDump Update v1.0.8
|Problems with the site then report it here.|