An international company specialising in preventing cyberattacks presented an analysis of the hi-tech crime landscape in Asia in 2018 and concluded that cybercriminals show an increased interest in Asia in general, and Singapore in particular.
At the annual Money20/20 Asia Singapore payments, financial services and fintech summit held Mar 19-21, cybercrime prevention and response company Group-IB announced their discovery of a new tool used by data thieves Lazarus Group.
Group-IB also revealed that it had discovered 19,928 Singaporean bank cards that had shown up for sale in the dark web in 2018 and that this figure was 56% more than what it was in 2017. These compromised bank cards had an estimated total underground value of S$640,000.
In the past two years, the group had also found hundreds of compromised government portal credentials stolen by hackers.
Lazarus go rogue in Asia. New malware in gang’s arsenal
According to Group-IB’s Hi-Tech Crime Trends 2018 report, Southeast Asia, and Singapore in particular, is one of the most actively attacked regions in the world. In just one year, 21 state-sponsored data thief groups — which is more than the number of such groups in the United States and Europe combined — were detected in this area. Among them was Lazarus — a notorious North-Korean state-sponsored data thief, or threat actor.
After finding that Lazarus was responsible for several attacks on financial organizations in Asia, Group IB detected and analysed the gang’s most recent attack on one of the Asian banks.
In Jan 2019, Group-IB specialists obtained information about a previously unknown malware sample used in this attack.
Dubbed RATv3.ps (in line with RAT, or remote administration tool) by Group-IB, the new Trojan was thought to have been downloaded to victims’ computers as part of the second phase of a watering hole attack — a computer attack strategy that the Lazarus group had been using since 2016.
During the first stage, Lazarus used the Trojan Ratankba malware to infect websites regularly visited by a group of victims.
At least one of the RATs was available via a legitimate Vietnamese resource, which might have been involved in other attacks.
Group-IB CTO and Head of Threat Intelligence Dmitry Volkov warns that the newly discovered Lazarus malware is capable of data exfiltration from the victim’s computer; downloading and executing programs and commands via shell, acting as a keylogger to retrieve victim’s passwords, moving, creating and deleting files, injecting code into other processes, and screencasting:
“So in case of Lazarus, a stitch in time saves nine. It is very hard to contain their attacks as they happen. You have to be well prepared and know their tactics, and tools. In particular, it is extremely important to have most up-to-date indicators of compromise, unavailable publicly, that can only be gathered through automated machine learning-powered threat hunting solutions.
“Given the group’s increased activity in the region in 2018, we believe that Lazarus will continue to carry out attacks against banks, which will result in illicit SWIFT payments, and will likely experiment with, primarily focusing on Asia and the Pacific.”
Several cybersecurity researchers note that in 2018 Lazarus carried out a global campaign known as Rising Sun.
The malicious campaign affected close to 100 organizations and countries, including Singapore. The gang’s new endeavor took its name from the implant it downloaded onto victims’ computers.
It was found that Rising Sun was created on the basis of the Trojan Duuzer malware family, which also stems from the Lazarus group. In this case, the malware spreader was primarily aimed at collecting information from the victim’s computer according to various commands.
“According to Group-IB Hi-Tech Crime Trends report 2018, Lazarus — unlike most of other state-sponsored threat actors — does not shy away from attacking crypto. Singapore, being one of the most crypto-friendly countries in the world, attracts not only thousands of crypto and blockchain entrepreneurs every year, but also threat actors willing to grab a piece of the pie. We expect that other APTs like Silence, MoneyTaker, and Cobalt will stage multiple attacks on cryptocurrency exchanges in the near future.” – said Volkov.
Have you been pawned?
Group-IB Threat Intelligence team identified hundreds of compromised credentials from Singaporean government agencies and educational institutions over the course of 2017 and 2018.
Users’ logins and passwords from the Government Technology Agency, Ministry of Education, Ministry of Health, Singapore Police Force website, National University of Singapore learning management system and many other resources were stolen by cybercriminals. CERT-GIB (Computer Emergency Response Team) reached out to Singaporean CERT upon identification of this information.
“Users’ accounts from government resources are either sold on underground forums or used in targeted attacks on government agencies for the purpose of espionage or sabotage. Even one compromised account, unless detected at the right time, can lead to the disruption of internal operations or leak of government secrets.
“Cybercriminals steal user accounts’ data using special spyware aimed at obtaining users’ authentication data. According to Group-IB data, PONY FORMGRABBER, QBot and AZORult became the TOP 3 most popular Trojan-stealers among cybercriminals,” explained Volkov.
Trojans like Pony Formgrabber retrieves login credentials from configuration files, databases, secret storages of more than 70 programs on the victim’s computer and then sends stolen information to cyber criminals’ C&C servers.
Another Trojan-stealer AZORult, aside from stealing passwords from popular browsers, is capable of stealing crypto wallet data.
The Qbot worm gathers login credentials through use of keylogger, steals cookie files and certificates, active internet sessions, and forwards users to fake websites.
All these Trojans are capable of compromising the credentials of users of crypto wallets and crypto exchanges. More information on the most actively used Trojans and their targets can be accessed through Group-IB Threat Intelligence.
Public data leaks is another huge source of compromised user credentials from government websites. Group-IB analysed recent massive public data breaches and discovered 3689 unique records (email & passwords) related to Singaporean government websites accounts.
Underground market economy, number of compromised cards of Singaporean banks on sale increases
In 2018, Group-IB detected a total of 19,928 compromised payment cards related to Singaporean banks that were being sold on darknet card shops.
As one of the major financial hubs in Southeast Asia, Singapore is drawing increasing attention from financially-motivated hackers every year.
Group-IB Threat Intelligence detects and analyses data uploaded to cardshops all over the world. According to Group-IB’s annual Hi-Tech Crime Trends 2018 report, the details of 1.8 million payment cards, on the average, were uploaded to card shops monthly from June 2017 to Aug 2018.