The US federal agencies have issued a joint alert to warn public about an ongoing cyber campaign by North Korea-backed 'BeagleBoyz' group which is using remote access malware tools to steal millions of dollars from banks around the world.
The agencies say they are seeing a resurgence of financially motivated hacking efforts by the North Korean regime for the past six months, following a decline in bank targeting since October 2019.
They refer to the campaign as "Fast Cash" and claim that the main aim of these activities is to fund the North Korean government by initiating fraudulent money transfers from banks and causing ATMs to spit out cash.
The advisory further claims that the operation has been ongoing since at least 2016, but is ramping up now in both volume and sophistication.
Hackers' activities include spear-phishing attacks and social engineering schemes, according to the federal agencies.
"We know that North Korea uses cyber-enabled tactics and techniques to steal currency, which it would otherwise be denied under international sanctions," Brig. Gen. Joe Hartman, the Pentagon's Cyber Command Cyber National Mission Force Commander, said in a statement.
According to the agencies, 'BeagleBoyz' represents a subset of HIDDEN COBRA and is controlled by the Reconnaissance General Bureau, an intelligence unit working for the North Korean government. The group is estimated to have stolen nearly $2 billion through hacking campaigns since 2015.
It is also thought to be responsible for ATM cash-outs reported in October 2018.
In 2016, it stole $81 million from the Bank of Bangladesh after targeting bank's SWIFT payment system. Fortunately, the Federal Reserve Bank of New York noticed errors in payment transfer instructions from the Bank of Bangladesh and stopped the remainder of an attempted $1 billion transfer.
The activities of BeagleBoyz have not just been limited to ATM cash-outs, but also to theft of cryptocurrencies, sometimes valued at millions of dollars per incident.
The alert published by the US government is the result of combined efforts from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the US Cyber Command (USCYBERCOM), and the Department of the Treasury.
The alert comes nearly a week after FBI and CISA warned that North Korean hackers have been using BLINDINGCAN remote access Trojan to target American government contractors in the defence sector.
Earlier in July, researchers at cyber security firm Sansec said that they had found evidence to suggest that North Korea-based Lazarus group, or APT38, was planting skimmers on the web stores of many American and European retailers in an effort to steal payment card details of unsuspecting shoppers.
Malwarebyes researchers also said in May that they had identified a new variant of the Dacls RAT, specifically created by Lazarus to target devices running Mac OS.
Commenting on the agencies' report Fred Plan, senior analyst at Mandiant Threat Intelligence, said the threat actors have a lot of advanced tools at their disposal.
"The group maintains and develops a robust suite of malware families specifically designed to target the banking industry and its peripheries," Plan said.
"We have reported on several of the malware families included in the report, including the malware identified as "CROWDEDFLOUNDER", which we track as CHEESETRAY, a robust proxy-aware backdoor that can operate in both an active and passive mode which we have observed in APT38 bank intrusion activity. We track the tunneller "ELECTRICFISH" under the moniker FULLHOUSE, which is a command-line TCP tunneling tool that supports basic and NTLM proxy authentication. However, we have only observed the malware identified as "HOPLIGHT", which we track as HANGMAN, being leveraged by TEMP.Hermit.
"The tool's reported use in activity directly targeting banks highlights how financially-motivated North Korean operations share malware code and other development resources with cyber espionage groups sponsored by the regime."
More than 1,200 iOS apps use Mintegral's malicious SDK
The Lucifer malware infects machines and forms a botnet to mine cryptocurrency
Hackers are sending spam mails that purport to come from big defence contractors to trap potential targets
The vulnerabilities could allow threat actors to gain elevated privileges on a victim's machine
The attack can evade network security solutions, including firewalls, legacy proxies and sandboxes