Cybercrime , Cybercrime as-a-service , Cyberwarfare / Nation-State Attacks

North Korean Hackers Tapping Into TrickBot: Report

Researchers See Connections Between Lazarus Group and Crimeware Developers
North Korean Hackers Tapping Into TrickBot: Report

Hackers linked to the North Korean government are now renting the botnet created by TrickBot malware, as well as access to a highly customized malicious framework, to help further their goals - including targeting payment systems. So says a new report from SentinelLabs.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The report also points to growing cooperation among hackers backed by nation-states and cybercriminals, resulting in sharing data and profit.

The growing sophistication of crimeware and the ability of nation-state hackers to tap into these resources should make CISOs rethink their security defenses, Vitali Kremez, the head of SentinelLabs - the research arm of SentinelOne - tells Information Security Media Group.

"The maturity of the crimeware models and convergence of threats force us to rethink our defense focusing on how to thwart not only the most sophisticated threats but also crimeware threats that might mature into APTs," he says.

Blurring Lines

In another recent example of the blurring of the lines between cybercrime and nation-state attacks, the U.S. Department of Justice charged two Russian nationals, Maksim Yakubets and Igor Turashev, earlier this month with developing the notorious Dridex banking Trojan, which is believed to have helped the two steal more than $100 million from U.S. banks. Federal prosecutors believe that Yakubets now works with Russian intelligence and shares data that his malware takes from victims' devices (see: Two Russians Indicted Over $100M Dridex Malware Thefts).

"Many cybercrime groups try to achieve 'greatness' and earn millions. but only a few reach the level of Dridex and TrickBot," Kremez says. "The research demonstrates that the most sophisticated criminal groups get entangled with the nation-state actors - either it be the Dridex 'Evil Corp' and Russian [intelligence] and the TrickBot criminal enterprise with the North-Korean Lazarus Group."

TrickBot for Sale

SentinelLabs researchers say that the Lazarus Group, the advanced persistent threat group idely believed to be linked to the North Korean government, has been renting both the botnet created by the TrickBot malware as well as a customized framework developed by the criminal gang that oversees the TrickBot operation.

Since it was first developed in 2016, TrickBot has morphed from a banking Trojan into a versatile malware strain with worm-like capabilities that can act like a botnet, according to security researchers. It also has the ability to act as a dropper, meaning that after gaining a foothold on an infected system, it can install or "drop" additional malware - including ransomware - onto endpoints, as well as push additional functional modules (see: Malware Most Foul: Emotet, Trickbot, Cryptocurrency Miners).

The TrickBot gang has also created a crimeware-as-a-service model, renting out its capabilities to other cybercrime gangs and now hackers backed by nation-states, the SentinelLabs researchers note.

TrickBot expansion (Source: SentinelLabs)

SentinelLabs researchers found that the gang behind TrickBot has also developed a new framework called "Anchor" that members of the Lazarus Group have rented out for their own purposes. The North Korean hackers also rented out the botnet created by the TrickBot malware to help better hide their activity, the researchers add.

The Anchor framework is a series of modules and malicious tools that work together to help keep the attackers hidden within an infected network, giving them time to steal data and map the IT infrastructure of the target, according to both the SentinelLabs study and a new report from Cybereason.

The framework is designed to target enterprise-grade systems used by large organizations, according to the SentinelLabs report.

Each of the modules in the Anchor framework has a different purpose. For example, one allows the attackers to persist in an infected network and avoid detection from security software. Another targets point-of-sale devices, while a different tool can scrape RAM memory from card data. Plus, another module has the ability to clean a system after an attack, according to the two reports.

A Dual Mission

The ability for Anchor to target point-of-sale and other payment systems is significant because the Lazarus Group - which also goes by the name Hidden Cobra among other aliases - reportedly has a dual mission of providing cyberespionage capabilities to the North Korean government as well as stealing money to generate financial resources to regime (see: UN Report: N. Korea Targets Cryptocurrency Exchanges, Banks).

"We suspect the end goal of this partnership is financial gain and target payment system intrusion," Kremez says. "The development and control of this 'Anchor' project with high confidence were reserved to the most trusted members of the TrickBot group. Lazarus is likely the user or beneficiary of this project."

The SentinelLabs report does not indicate if the attacks by the Lazarus Group using TrickBot and the Anchor framework have resulted in thefts.

Hackers’ Strategy

As part of their research into Anchor, SentinelLabs found the ties between TrickBot gang and the Lazarus Group.

How TrickBot and Lazarus work together (Source: SentinelLabs)

In the case that SentinelLabs describes, the researchers found that hackers were using the TrickBot botnet and Anchor framework to install PowerRatankba, a specially designed PowerShell backdoor, within the network of an unnamed company. In 2018, several security analysts published reports tying PowerRatankba to the Lazarus Group; it was used to target point-of-sale machines (see: Report: Investigators Eye North Koreans for Exchange Hack).

"The integration of these tools into the Anchor implies that TrickBot was able to overcome the final barrier in integrating different domains into its model," according to the SentinelLabs analysis. "By integrating the [advanced persistent threat] approach to its model, the group turned its enterprise into a holistic ecosystem of cybercrime, becoming an essentially new phenomenon. In this ecosystem, crimeware and APT are no longer siloed; on the opposite, each type of crime creates added value for the other, each becomes a force multiplier."

Other Customers

The SentinelLabs and Cybereason reports leave open the possibility that the gang behind TrickBot and the Anchor framework have other customers besides the Lazarus Group.

In their report, the Cybereason researchers don't name North Korea, but note that a combination of attacks using the TrickBot malware and the new Anchor framework have been targeting financial, manufacturing and retail businesses since early October. In those cases, the researchers note that point-of-sale machines appear to be the main target, with attacks usually starting with a phishing email to gain access to the network.

The SentinelLabs analysis also left open the possibility that other nation-state backed groups could be renting TrickBot and its capabilties.

"The project is used by multiple APT groups. The Lazarus-affiliated deployment seems only one APT customer of their project," Kremez says.

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.