A report released today reveals that hacking units backed by the North Korean government are leasing access to elite hacking tools and access to hacked networks by TrickBot botnet operators.
The revelation comes to confirm a trend seen in recent years - namely that the lines between regular cybercrime and government espionage at national level are blurring. This trend came to light on 2017 when a report revealed how the brain behind GameOver Zeus malware helped Russian intelligence collect sensitive documents from them computers that infects.
But Bogatchev was not an isolated case. Just last week, the US arrested a botnet administrator for Dridex malware, accusing him of doing the same thing - for working with Russia's state-run intelligence service on sensitive searches. data.
These two cases show a direct contact between the creators of popular malware and a country's intelligence gathering.
In fact, these lines have blurred to a much lower level. For years, we have seen national hacking teams adopt malicious products. Instead of developing their own tools, government operators choose to buy malware that is already available for sale online.
This helps them hide "targeted" businesses, committed by a financially motivated hacker.
In a report released today by SentinelOne on cybersecurity, we learn of a new link between a state-backed support team (North Korea's Lazarus team) and TrickBot.
According to the SentinelOne team, the Lazarus group has recently become a client of the TrickBot gang, which is leasing access to already infected systems, along with a new type of attack framework that researchers call Anchor. SentinelOne describes Anchor as "a collection of tools" combined in a new malware strain. The Anchor malware strain is provided as a TrickBot drive.
TrickBot is one of the top three botnets malware today, along with Emotet and Dridex. This is a giant network of computers infected with the TrojanBot trojan. However, TrickBot is also a Cybercrime-as-a-Service business. TrickBot gang leases access to TrickBot-infected computers to other malicious gangs programs.
These gangs range from ransomware operators to online spammers, scammers and more. Tenants can use the TrickBot trojan to install their own malware or one of the available TrickBot modules, depending on the functions they wish to perform on infected hosts.
In reports released today by Cybereason and SentinelOne, the two companies say that Anchor is a new TrickBot unit built for a specific market, especially for them hackers that want to remain undetected in the infected systems.
TrickBot is a tool used in attacks targeting large companies, where hackers have to remain undetected for weeks or months - while stealing data - and even long after the invasion ends.
SentinelOne describes Anchor as "an all-in-one attack framework designed to attack business environments". It consists of different subformers that provide the various characteristics needed for targeted attacks, but are of no use to other TrickBot customers.
At first glance, Anchor looks like a tool that the TrickBot team developed for hacker groups interested in financial espionage or for POS malware executives.
SentinelOne said it was linking North Korea's Lazarus group attacks with TrickBot and the new Anchor attack framework.
In its report released today, SentinelOne stated that it has found a case where the Lazarus group appears to have leased access to an infected system via the TrickBot botnet and then used the Attack Anchor (Module TrickBot) framework to install PowerRatankba, a network PowerShell backdoor from a company that has been hacked.
SentinelOne hasn't worked out what the Lazarus group did on the hacked business network, but North Korean hackers are known to attack cyberspace financially motivated. However, the North Korean hacker was not the only customer of Anchor.
Cybereason did not see the Lazarus group using Anchor, but instead saw "a new wave of targeted campaigns against the financial, construction and retail businesses that began in early October" where Anchor was used.
"Unlike the previously mentioned Trickbot related attacks that result in massive ransomware infection, this new wave of attacks focuses on the theft of sensitive information from POS (Point of Sale) systems and other sensitive ones resources in the networks of victims, network, ”said the Cybereason team.
"These attacks further underline the risk of malware infections that can sometimes be underestimated due to their common condition and their high volume," the researchers added.
"It is important to remember that when an endpoint becomes infected with malware, it depends on the attackers' decision to continue."