{ "id": "cb600ff2-c5b6-4b87-be5a-0aaccfecd0e1", "created_at": "2026-04-06T00:15:34.008517Z", "updated_at": "2026-04-10T03:38:20.361188Z", "deleted_at": null, "sha1_hash": "4f851ec56ba99e331db00e158f1fefdcead3bf08", "title": "Banco de Chile Wiper Attack Just a Cover for $10M SWIFT Heist", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46980, "plain_text": "Banco de Chile Wiper Attack Just a Cover for $10M SWIFT Heist\r\nBy Tara Seals\r\nPublished: 2018-06-13 · Archived: 2026-04-05 15:06:17 UTC\r\nThe wiper malware affecting 9,000 workstations and 500 servers inside Chile’s largest financial institution turns\r\nout to have been a distraction.\r\nA cyberattack against Chile’s largest financial institution last month, which reportedly destroyed 9,000\r\nworkstations and 500 servers, was actually cover for a larger plot to compromise endpoints handling transactions\r\non the SWIFT network. When the dust settled on the attacks, investigators said $10 million was stolen from Banco\r\nde Chile and funneled off to an account in Hong Kong.\r\nOn Sunday, the bank’s general manager Eduardo Ebensperger told Chilean media outlet Pulso that the late-May\r\nattack allowed adversaries to complete four separate fraudulent transactions on the SWIFT system before the heist\r\nwas discovered.\r\n“We found some strange transactions in the SWIFT system (where banks internationally remit their transactions to\r\ndifferent countries),” Ebensperger told the outlet. “There we realized that the virus was not necessarily the\r\nunderlying issue, but apparently [the attackers] wanted to defraud the bank.”\r\nThe initial attack was carried out using a wiper malware that Ebensperger described as a “zero-day virus” that had\r\nnever been seen in the wild. However, in report published Tuesday by  Flashpoint, analysts discovered that the\r\ncode is actually a modified version of the Buhtrap malware component known as kill_os. The module renders the\r\nlocal operating system and the Master Boot Record (MBR) unreadable by erasing them.\r\nAfter reverse-engineering the codebase, Flashpoint analysts found that the Chile-attack malware, dubbed “MBR\r\nKiller,” was identical with only minor modifications to Buhtrap’s kill_os. For instance, the Buhtrap code, which\r\nwas leaked onto the Dark Web in February, contains an almost identical Nullsoft Scriptable Install System (NSIS)\r\nscript as the unpacked Banco de Chile malware (NSIS is an open-source system used to build Windows installers).\r\nThis revelation could potentially help with attribution: The Buhtrap malware and its components, including MBR\r\nKiller, were previously used by a Russian-speaking hacker collective in attacks against multiple financial\r\ninstitutions in Russia and the Ukraine, Flashpoint noted.\r\nHowever, the attribution behind the Banco de Chile attack remains uncertain.\r\n“It is notable, however, that Chilean financial institutions were targeted entities by the Lazarus Group, which was\r\nlinked to North Korea, during the compromise of the Polish Financial Supervision Authority website in 2017,”\r\nVitali Kremez, director of research, told Threatpost in an interview. “More specifically, the breached website\r\nwas filtered to serve payloads to only targeted IP ranges associated with financial institutions of interest to the\r\ngroup.”\r\nhttps://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/\r\nPage 1 of 2\n\nHe added, “the above-referenced indicators point to two possible groups behind – purported North-Korean\r\naffiliated group Lazarus and the known Russian-speaking sophisticated criminal group Buhtrap.”\r\nIt’s also possible, researchers said, that it’s an entirely different copycat group making use of Buhtrap’s leaked\r\nsource code.\r\nMeanwhile, Ebensperger said that a forensic analysis conducted by Microsoft attributed the attack to either\r\nEastern European or Asian groups. Further, Ofer Israeli, CEO of Illusive Networks, said via email that he too\r\nbelieves the North Korea-linked Lazarus Group, which is thought to have carried out the SWIFT attacks in\r\nBangladesh in 2016, is behind it all.\r\n“Targeting financial organizations is part of their long-term strategy and compromising global financial networks\r\nvia small to medium-sized banks in Central and South America whose cyber-defenses may be less sophisticated\r\nposes a higher probability of success,” he explained.\r\nIn any event, Banco de Chile is the latest victim in a string of cyber-attacks targeting payment transfer systems.\r\nFor instance, in May, Somewhere between $18 million to $20 million went missing during unauthorized interbank\r\nmoney transfers in Mexico’s central banking system.\r\n“Third-party providers of payment and transfer systems have become one of the most effective attack vectors for\r\nhackers trying to siphon money from banks,” said Fred Kneip, CEO at CyberGRX, via email. “We’ve seen the\r\nSWIFT Network under attack for years now, and just last month hackers targeted the Mexican central bank SPEI\r\ninterbank transfer system.”\r\nHe added, “A large international bank has tens of thousands of third parties in their digital ecosystem, but hackers\r\nhave figured out that it only takes one weak link to make millions of dollars. Understanding the level of risk\r\nexposure introduced by all third parties is important, but that becomes even more critical for a Tier 1 partner like a\r\ntransfer system provider.”\r\nSource: https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/\r\nhttps://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/" ], "report_names": [ "132796" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "01d569b1-f089-4a8f-8396-85078b93da26", "created_at": "2023-01-06T13:46:38.411615Z", "updated_at": "2026-04-10T02:00:02.963422Z", "deleted_at": null, "main_name": "BuhTrap", "aliases": [], "source_name": "MISPGALAXY:BuhTrap", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b046db2-f60e-49ae-8e16-0cf82a4be6fb", "created_at": "2022-10-25T16:07:23.427162Z", "updated_at": "2026-04-10T02:00:04.594113Z", "deleted_at": null, "main_name": "Buhtrap", "aliases": [ "Buhtrap", "Operation TwoBee", "Ratopak Spider", "UAC-0008" ], "source_name": "ETDA:Buhtrap", "tools": [ "AmmyyRAT", "Buhtrap", "CottonCastle", "FlawedAmmyy", "NSIS", "Niteris EK", "Nullsoft Scriptable Install System", "Ratopak" ], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434534, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4f851ec56ba99e331db00e158f1fefdcead3bf08.pdf", "text": "https://archive.orkl.eu/4f851ec56ba99e331db00e158f1fefdcead3bf08.txt", "img": "https://archive.orkl.eu/4f851ec56ba99e331db00e158f1fefdcead3bf08.jpg" } }