A report released today reveals that hacking units backed by the North Korean government are leasing access to elite hacking tools and access to hacked networks by TrickBot botnet operators.
The revelation confirms a trend observed in recent years - that the lines between cybercrime and government spying operations nationwide are blurred. This trend came to light in 2017 when a report revealed how the brain behind GameOver Zeus malware helped Russian intelligence collect sensitive documents from computers that infects.
But Bogatchev was not an isolated case. Just last week, the US arrested the administrator of the malware software botnet Dridex, accusing him of the same thing - of cooperating with the Russian state intelligence service in the search for sensitive data.
These two cases show a direct contact between the creators of popular malware and a country's intelligence gathering.
In fact, these lines have blurred to a much lower level. For years, we have seen national hacking teams adopt malicious products. Instead of developing their own tools, government operators choose to buy malware that is already available for sale online.
This helps them to hide "targeted" businesses, committed by financially motivated hackers.
In a report released today by SentinelOne on cybersecurity, we learn of a new link between a state-backed support team (North Korea's Lazarus team) and TrickBot.
According to the SentinelOne team, the Lazarus group has recently become a customer of the TrickBot gang, from which it leases access to already infected systems, along with a new type of attack framework that researchers call Anchor. SentinelOne describes Anchor as "a collection of tools" combined with a new strain of malware. The Anchor malware is supplied as a TrickBot unit.
TrickBot is one of the top three botnets malware today, along with Emotet and Dridex. This is a giant network of computers infected with the TrojanBot trojan. However, TrickBot is also a Cybercrime-as-a-Service business. TrickBot gang leases access to TrickBot-infected computers to other malicious gangs programs.
These gangs range from ransomware operators to online spammers, scammers and more. Tenants can use the TrickBot trojan to install their own malware or one of the available TrickBot modules, depending on the functions they wish to perform on infected hosts.
In reports released today by Cybereason and SentinelOne, the two companies say that Anchor is a new TrickBot unit built for a specific market, especially for them hackers that want to remain undetected in the infected systems.
TrickBot is a tool used in attacks on large companies, where hackers have to be detected for weeks or months - while stealing data - and even long after the intrusion is over.
SentinelOne describes Anchor as "an all-in-one attack framework designed to attack business environments." It consists of different modifiers that provide the different characteristics needed for targeted attacks, but are of no use to other TrickBot customers.
At first glance, Anchor looks like a tool that the TrickBot team developed for hacker groups interested in financial espionage or for POS malware executives.
SentinelOne said it was linking North Korea's Lazarus group attacks with TrickBot and the new Anchor attack framework.
In its report released today, SentinelOne stated that it has found a case where the Lazarus group appears to have leased access to an infected system via the TrickBot botnet and then used the Attack Anchor (Module TrickBot) framework to install PowerRatankba, a network PowerShell backdoor from a company that has been hacked.
SentinelOne hasn't worked out what the Lazarus group did on the hacked business network, but North Korean hackers are known to attack cyberspace financially motivated. However, the North Korean hacker was not the only customer of Anchor.
Cybereason did not see the Lazarus group using Anchor, but instead saw "a new wave of targeted anti-financial, construction and retail campaigns launched in early October" where Anchor was used.
"Unlike the previously reported Trickbot attacks that result in massive ransomware infection, this new wave of attacks focuses on stealing sensitive information from POS (Point of Sale) systems and other sensitive ones resources in the victims' networks, a network, "said the Cybereason team.
"These attacks further underscore the risk of malignant product infections that can sometimes be underestimated due to their common condition and large volume," the researchers added.
"It is important to remember that when an endpoint is infected with malware, it depends on the attackers' decision to continue."