# Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America **[blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-](https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/)** organizations-in-latin-america/ Trend Micro November 20, 2018 [Home » Malware » Lazarus Continues Heists, Mounts Attacks on Financial](https://blog.trendmicro.com/trendlabs-security-intelligence/) Organizations in Latin America [0](https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/#respond) **_by Lenart Bermejo and Joelson Soares_** The cybercriminal group Lazarus, and particularly its subgroup Bluenoroff, has a history of attacking financial organizations in Asia and Latin America. There seems to be a resurgence of activity from the group, and recent events show how their tools and techniques have [evolved. Just last week they were found stealing millions](https://www.theverge.com/2018/11/8/18075124/north-korea-lazarus-atm-fastcash-hack-millions-dollars-stolen) from ATMs across Asia and Africa. We also recently discovered that they successfully planted their backdoor [(detected by Trend Micro as BKDR_BINLODR.ZNFJ-A) into](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_binlodr.znfj-a) several machines of financial institutions across Latin America. We determined that these backdoors were installed on the targets’ machines on September 19 2018, based mainly on the service creation time of the loader component. We also saw that the attack technique bears some resemblance to a previous 2017 Lazarus attack, [analyzed by BAE Systems, against targets in Asia. The use of FileTokenBroker.dll was a key](https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html) part of the group’s attack in 2017, and they seem to have used the same modularized backdoor in the recent incident as well. Our analysis of the backdoors used in the September 2018 attacks show that AuditCred.dll/ROptimizer.dll was similarly used: **FileTokenBroker.dll (2017 att** **ack)** **AuditCred.dll/Roptimizer.dll (2018** **attack)** **Launch Method** Service Service **Function** Loader Component Loader Component **Working directory** %Windows%\System32 %Windows%\System32 **Loaded Component Path** %Windows%\System32\en-US %Program Files%\Common Files\System \ado **Loaded Component** **Blending** Blends with .mui files Blend with ActiveX data Object dll files _Table1: Similarities of the Loader components in both incidents_ ----- The Lazarus group used a series of backdoors in their 2018 attacks, employing a complicated technique that involves three major components: **AuditCred.dll/ROptimizer.dll (detected by Trend Micro as BKDR_BINLODR.ZNFJ-A) –** loader DLL that is launched as a service **Msadoz.dll (detected by Trend Micro as BKDR64_BINLODR.ZNFJ-A) – encrypted** backdoor **n = number of characters in the loader dll’s filename** **Auditcred.dll.mui/rOptimizer.dll.mui (detected by Trend Micro as** TROJ_BINLODRCONF.ZNFJ-A) – encrypted configuration file _Figure 1: Loading sequence of the modularized backdoor_ The loader DLL is installed as a service and uses different names (AuditCred and ROptimizer) on different machines. However, they still have the same capabilities and are essentially the same file. Its purpose is to load Msadoz.dll in order to decrypt and execute it in memory. _Figure 2: AuditCred/ROptimizer Service_ If successfully installed, this particular backdoor poses quite a threat to its target. It is capable of the following functions: Collect file/folder/drive information Download files and additional malware Launch/terminate/enumerate process Update configuration data Delete files Inject code from files to other running process Utilize proxy ----- Run in passive mode — instead of actively connecting to the command and control (C&C) server, the backdoor will open and listen to a port then receive commands through it Once the backdoor is loaded, it will then load the encrypted configuration file **Auditcred.dll.mui/rOptimizer.dll.mui to extract the C&C information and connect to it. The** connection is necessary for conducting activities; and based on the backdoor’s functions, these actions could be quite damaging to targets. _Figure 3: The first step of decryption will perform XOR on one byte using the previous_ _adjacent byte, starting from the last byte and excluding the first byte_ _Figure 4: The second step uses RC4, using the first 0x20 bytes from the result of the first step_ _as the RC4 key_ ----- _Figure 5: Encrypted (Top) and decrypted (bottom) configuration file_ It is also important to note that while the loader component and the configuration file are located in the same directory (%windows%\system32), the encrypted backdoor is located in a different directory (%Program Files%\Common Files\System\ado). This complex setup makes it harder to detect and remove all the backdoors, and is more effective at hiding any activities. The complexity and the capabilities of these backdoors present a tough problem for the targeted organizations. It is a sophisticated attack that needs equally sophisticated security solutions. **_Trend Micro Solutions_** The Lazarus group is an experienced organization, methodically evolving their tools and experimenting with strategies to get past an organization’s defenses. The backdoors they are deploying are difficult to detect and a significant threat to the privacy and security of enterprises, allowing attackers to steal information, delete files, install malware, and more. These and other tools used by the Lazarus group can be mitigated by routinely scanning the network for any malicious activity to help prevent the malware from entering and spreading through an organization. In addition, educating employees and other key people [in an organization on social engineering techniques can allow them to identify what to look](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/keep-an-eye-out-for-these-social-engineering-scams) out for when it comes to malicious attacks. Other mitigation strategies include a multilayered approach to securing the organization’s [perimeter, which includes hardening the endpoints and employing application control to](http://blog.trendmicro.com/ensuring-comprehensive-endpoint-security/) help prevent malicious applications and processes from being executed. ----- Free™ Business Security can protect users and businesses from these threats by detecting malicious files and spammed messages as well as blocking all related malicious URLs. [Trend Micro Deep Discovery™ has an email inspection layer that can protect enterprises by](http://www.trendmicro.com/us/enterprise/security-risk-management/deep-discovery/) detecting malicious attachments and URLs that could lead to malicious downloads. [Trend Micro XGen™ security provides a cross-generational blend of threat defense](https://www.trendmicro.com/en_us/business/products/all-solutions.html) techniques to protect systems from all types of threats. It features high-fidelity machine [learning on gateways and endpoints, and protects physical, virtual, and cloud workloads.](http://www.trendmicro.com/us/business/complete-user-protection/index.html) With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen security protects against today’s threats that bypass traditional controls; exploit known, unknown, or undisclosed vulnerabilities; either steal or encrypt personally identifiable data; or conduct malicious cryptocurrency mining. Smart, optimized, and connected, XGen [security powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/deep-security-for-cloud.html) [Protection, and Network Defense.](https://www.trendmicro.com/en_us/business/products/network.html) **_Indicators of Compromise_** **Command and Control Servers** 107[.]172[.]195[.]20 192[.]3[.]12[.]154 46[.]21[.]147[.]161 -----