North Korea Begins PoS Attacks with New Malware

North Korea is taking aim at point-of-sale systems as part of its ongoing criminal fundraising efforts.

Proofpoint researchers have uncovered what it’s calling the first publicly documented instance of a nation-state targeting a POS-related framework for the theft of credit-card data, carried out by the notorious Lazarus Group hacking arm of Pyongyang. The firm said that the timing of these near the holiday shopping season makes the potential financial losses considerable, given that most retail businesses around the world report their highest volume of sales between November and December.

“The group has increasingly focused on financially motivated attacks and appears to be capitalizing on both the increasing interest and skyrocketing prices for cryptocurrencies,” researchers said, in an analysis. “The Lazarus Group’s arsenal of tools, implants and exploits is extensive and under constant development. Previously, they have employed DDoS botnets, wiper malware to temporarily incapacitate a company, and a sophisticated set of malware targeting the SWIFT banking system to steal millions of dollars.”

The group is using a new implant dubbed RatankbaPOS to primarily target POS terminals of businesses operating in South Korea. It’s part of a wider refreshed toolset, which Proofpoint has dubbed PowerRatankba. It includes weapons for carrying out highly targeted spearphishing campaigns using links and attachments as well as massive email phishing campaigns targeting both personal and corporate accounts of individuals with interests in cryptocurrency.

“At this time we have been unable to determine how RatankbaPOS is being delivered; however, based on its sharing of C&C with PowerRatankba implants, we hypothesize that Lazarus operators infiltrated at least one organization’s networks utilizing PowerRatankba to deploy later stage implants (including the possibility of RFC18 Gh0ST RAT) to ultimately deploy RatankbaPOS,” Proofpoint explained. “Based on the fact that the file was hosted on the C&C in plaintext, and not Base64 encoded, we assess that RatankbaPOS was more likely deployed with a later stage implant other than PowerRatankba.”

Clearly North Korea is “following the money”, adding direct theft from individuals and organizations to the more traditional approach of targeting financial institutions for espionage, the firm said.

What’s Hot on Infosecurity Magazine?