Posted: 4 Min ReadThreat Intelligence

Lazarus: Three North Koreans Charged for Financially Motivated Attacks

More than $1.3 billion stolen in string of attacks against financial institutions and cryptocurrency exchanges.

The U.S. government has charged three men in relation to a string of financially motivated cyber attacks linked to the North Korean Lazarus (aka Appleworm) group. The attackers stole approximately $1.3 billion from a range of financial institutions and cryptocurrency exchanges.

In a second case, a Canadian-American citizen has pleaded guilty to involvement in a money laundering scheme linked to heists organized by the Lazarus group.

The charges relate to a number of financially motivated attacks, including several investigated by Symantec, a division of Broadcom (NASDAQ: AVGO).

Banking attacks

Lazarus was linked to a 2016 attack that stole US$81 million from the Bangladesh Central Bank and a number of other attacks against banks in Asia and South America. The attacks prompted an alert by payments network SWIFT, after it was found that the attackers had used malware to cover up evidence of fraudulent transfers.

In order to steal such massive sums, the attackers deployed relatively sophisticated malware, most notably Trojan.Banswift, which was used to wipe evidence of fraudulent transactions. Banswift shared code with an older Lazarus tool called Backdoor.Contopee. Contopee, along with two other pieces of Lazarus malware, Backdoor.Fimlis and Backdoor.Fimlis.B, were already being used in limited targeted attacks against the financial sector in South-East Asia.

Financially motivated attacks continued into 2017, when dozens of organizations were targeted through watering-hole attacks involving a previously unseen piece of malware. The attackers compromised websites likely to be visited by staff at targeted organizations and used a custom exploit kit to deliver malware to selected targets. The exploit kit was configured to only infect visitors from approximately 150 different IP addresses. These IP addresses belonged to 104 different organizations located in 31 different countries, most of which were banks. While the malware used in these attacks (Downloader.Ratankba) had been previously unseen, further analysis by Symantec uncovered strong links between this tool and known Lazarus tools.


Lazarus was subsequently implicated in the WannaCry ransomware attacks. The ransomware incorporated the leaked EternalBlue exploit that used two known vulnerabilities in Windows (CVE-2017-0144 and CVE-2017-0145) to turn the ransomware into a worm, capable of spreading itself to any unpatched computers on the victim’s network and also to other vulnerable computers connected to the internet.

Within a matter of hours, the malware had infected hundreds of thousands of computers worldwide. The attack had the potential to be highly profitable but it was poorly executed. WannaCry was supposed to generate a unique Bitcoin wallet address for each infected computer but, due to a bug, it failed to do so and instead defaulted to three hardcoded Bitcoin addresses for payment. This meant the attackers had no way of knowing which victims had paid using the hardcoded addresses. The attackers also included a “killswitch” in the malware. This was the address of a non-existent domain. WannaCry was designed to check if the domain was live and, if it was, it would cease installing. However, it was quickly found by a security researcher who registered the domain themselves, thus limiting the damage.

FASTCash ATM attacks

The group’s interest in financially motivated attacks persisted and, in 2018, evidence appeared of its involvement in attacks on ATM networks in Africa and Asia. The operation, known as FASTCash, allowed the group to effectively empty ATMs of cash. The attacks began with breaches of the targeted bank’s network in order to gain access to the switch application server that handled ATM transactions. Malware (Trojan.Fastcash) was installed on the server and used to intercept fraudulent cash withdrawal requests and send falsified approval responses, allowing cash to be withdrawn.

Cryptocurrency attacks

In a related announcement, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Treasury released details on AppleJeus, malware that was used in a series of attacks on cryptocurrency exchanges. The malware is designed to masquerade as legitimate cryptocurrency trading applications.

At least seven different versions of AppleJeus have been discovered, each of which is designed to target a different cryptocurrency trading application. The following trading platforms were targeted by the malware:

Initially the malware was spread using fake versions of the legitimate trading platform websites. However, later the attackers switched vectors, relying on phishing, social networking, and social engineering techniques to fool victims into downloading the malware.

Far-reaching investigations

The indictment is the latest in a series of charges laid out against state-sponsored espionage actors by authorities in the U.S. and comes on the back of a 2018 indictment against one of the men named in this week’s announcement. The charges are a timely reminder of the ability of law enforcement to investigate attacks that originate far beyond national borders.


For the latest protection updates, please visit the Symantec Protection Bulletin.

Indicators of Compromise

5e54bccbd4d93447e79cda0558b0b308a186c2be571c739e5460a3cb6ef665c0 File
ee19085ad5c17f989616d17ef68041910b3d0cbcf7e08cc7d7c1a1cb09e6b69 File
a84ed8ce714dff76b48b26414de9f045de561146d7eaa09019cbfbb2586c9765 File
bdff852398f174e9eef1db1c2d3fefdda25fe0ea90a40a2e06e51b5c0ebd69eb File
c0c2239138b9bc659b5bddd8f49fa3f3074b65df8f3a2f639f7c632d2306af70 File
d404c0a634cef0d32029286fde8efccb6dfe1809066bbec7ac32d42c5ce3bc04 File
07c38ca1e0370421f74c949507fc0d21f4cfcb5866a4f9c0751aefa0d6e97542 File
081d1739422bf050755e6af269a717681274821cea8becb0962d4db61869c5d6 File
4d6078fc1ea6d3cd65c3ceabf65961689c5bc2d81f18c55b859211a60c141806 File
7ea6391c11077a0f2633104193ec08617eb6321a32ac30c641f1650c35eed0ea File
9bf8e8ac82b8f7c3707eb12e77f94cd0e06a972658610d136993235cbfa53641 File
e352d6ea4da596abfdf51f617584611fc9321d5a6d1c22aff243aecdef8e7e55 File
01c13f825ec6366ac2b6dd80e5589568fa5c8685cb4d924d1408e3d7c178902f File
0967d2f122a797661c90bc4fc00d23b4a29f66129611b4aa76f62d8a15854d36 File
2ab58b7ce583402bf4cbc90bee643ba5f9503461f91574845264d4f7e3ccb390 File
631ac269925bb72b5ad8f469062309541e1edfec5610a21eecded75a35e65680 File
6f45a004ad6bb087f733feb618e115fe88164f6db9562cb9b428372c9add75f0 File
755bd7a3765efceb8183ffade090ef2637a85c4505f8078dda116013dd5758f3 File
af4144c1f0236e6b59f40d88635ec54c2ef8034f6a96a83f5dbfd6b8ea2c0d49 File
e3623c2440b692f6b557a862719dc95f41d2e9ad7b560e837d3b59bfe4b8b774 File
0bc7517aa2f0c1820ced399bfd66b993f10ad77e8d72727b0f3dc1ca35cad7ba File
1b60a6d35c872102f535ae6a3d7669fb7d55c43dc7e73354423fdcca01a955d6 File
91eaf215be336eae983d069de16630cc3580e222c427f785e0da312d0692d0fd File
a0c461c94ba9f1573c7253666d218b3343d24bfa5d8ef270ee9bc74b7856e492 File
fc1aafd2ed190fa523e60c3d22b6f7ca049d97fc41c9a2fe987576d6b5e81d6d File
326d7836d580c08cf4b5e587434f6e5011ebf2284bbf3e7c083a8f41dac36ddd File
3e5442440aea07229a1bf6ca2fdf78c5e2e5eaac312a325ccb49d45da14f97f4 File
527792dfab79f026eaa6930d2109c93e816ed31826dba0338a9223db71aced18 File
572a124f5665be68eaa472590f3ba75bf34b0ea2942b5fcbfd3e74654202dd09 File
5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8 File
21afaceee5fab15948a5a724222c948ad17cad181bf514a680267abcce186831 File
78b56a1385f2a92f3c9404f71731088646aac6c2c84cc19a449976272dab418f File
a0c461c94ba9f1573c7253666d218b3343d24bfa5d8ef270ee9bc74b7856e492 File
dcb232409c799f6ddfe4bc0566161c2d0b372db6095a0018e6059e34c2b79c61 File
bb430087484c1f4587c54efc75681eb60cf70956ef2a999a75ce7b563b8bd694 File
d5ac680e14b013e0624470da7f46e84809d00b59a7544f6a42b110cf0e29254e File Domain Domain Domain Domain Domain Domain Domain Domain Domain Domain Domain Domain Domain IP IP IP

About the Author

Threat Hunter Team


The Threat Hunter Team is a group of security experts within Symantec whose mission is to investigate targeted attacks, drive enhanced protection in Symantec products, and offer analysis that helps customers respond to attacks.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.