{ "id": "d54433e9-76df-4c8a-a20f-41a4cfb6e3a6", "created_at": "2026-04-06T00:22:09.49471Z", "updated_at": "2026-04-10T03:38:19.275301Z", "deleted_at": null, "sha1_hash": "5b01b4778595618ba9d1492b7555f58913fef863", "title": "Lazarus Targets Latin American Financial Companies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 85444, "plain_text": "Lazarus Targets Latin American Financial Companies\r\nBy By: Lenart Bermejo, Joelson Soares Nov 20, 2018 Read time: 4 min (951 words)\r\nPublished: 2018-11-20 · Archived: 2026-04-05 16:48:35 UTC\r\nThe cybercriminal group Lazarus, and particularly its subgroup Bluenoroff, has a history of attacking financial\r\norganizationsopen on a new tab in Asia and Latin America. There seems to be a resurgence of activity from the\r\ngroup, and recent events show how their tools and techniques have evolved. Just last week they were found\r\nstealing millionsopen on a new tab from ATMs across Asia and Africa. We also recently discovered that they\r\nsuccessfully planted their backdoor (detected by Trend Micro as BKDR_BINLODR.ZNFJ-Aopen on a new tab)\r\ninto several machines of financial institutions across Latin America.\r\nWe determined that these backdoors were installed on the targets’ machines on September 19 2018, based mainly\r\non the service creation time of the loader component. We also saw that the attack technique bears some\r\nresemblance to a previous 2017 Lazarus attack, analyzed by BAE Systemsopen on a new tab, against targets in\r\nAsia. The use of FileTokenBroker.dll was a key part of the group’s attack in 2017, and they seem to have used the\r\nsame modularized backdoor in the recent incident as well.\r\nOur analysis of the backdoors used in the September 2018 attacks show that AuditCred.dll/ROptimizer.dll was\r\nsimilarly used:\r\n \r\nFileTokenBroker.dll  (2017\r\nattack)\r\nAuditCred.dll/Roptimizer.dll  (2018\r\nattack)\r\nLaunch Method Service Service\r\nFunction Loader Component Loader Component\r\nWorking directory %Windows%\\System32 %Windows%\\System32\r\nLoaded Component\r\nPath\r\n%Windows%\\System32\\en-US\r\n%Program Files%\\Common\r\nFiles\\System\\ado\r\nLoaded Component\r\nBlending\r\nBlends with .mui files Blend with ActiveX data Object dll files\r\nTable1: Similarities of the Loader components in both incidents\r\nAnalysis of backdoors used in 2018\r\nThe Lazarus group used a series of backdoors in their 2018 attacks, employing a complicated technique that\r\ninvolves three major components:\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/\r\nPage 1 of 4\n\nAuditCred.dll/ROptimizer.dll (detected by Trend Micro as BKDR_BINLODR.ZNFJ-A) – loader DLL\r\nthat is launched as a service\r\nMsadoz\u003cn\u003e.dll (detected by Trend Micro as BKDR64_BINLODR.ZNFJ-A) – encrypted backdoor; n =\r\nnumber of characters in the loader dll’s filename \r\nAuditcred.dll.mui/rOptimizer.dll.mui (detected by Trend Micro as TROJ_BINLODRCONF.ZNFJ-A) –\r\nencrypted configuration file\r\nintel\r\nFigure 1: Loading sequence of the modularized backdoor\r\nThe loader DLL is installed as a service and uses different names (AuditCred and ROptimizer) on different\r\nmachines. However, they still have the same capabilities and are essentially the same file. Its purpose is to load\r\nMsadoz\u003cn\u003e.dll in order to decrypt and execute it in memory.\r\nintel\r\nFigure 2: AuditCred/ROptimizer Service\r\nIf successfully installed, this particular backdoor poses quite a threat to its target. It is capable of the following\r\nfunctions:\r\nCollect file/folder/drive information\r\nDownload files and additional malware\r\nLaunch/terminate/enumerate process\r\nUpdate configuration data\r\nDelete files\r\nInject code from files to other running process\r\nUtilize proxy\r\nOpen reverse shell\r\nRun in passive mode — instead of actively connecting to the command and control (C\u0026C) server, the\r\nbackdoor will open and listen to a port then receive commands through it\r\nOnce the backdoor is loaded, it will then load the encrypted configuration file\r\nAuditcred.dll.mui/rOptimizer.dll.mui to extract the C\u0026C information and connect to it. The connection is\r\nnecessary for conducting activities; and based on the backdoor's functions, these actions could be quite damaging\r\nto targets.\r\nintel\r\nFigure 3: The first step of decryption will perform XOR on one byte using the previous adjacent byte, starting\r\nfrom the last byte and excluding the first byte\r\nintel\r\nFigure 4: The second step uses RC4, using the first 0x20 bytes from the result of the first step as the RC4 key\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/\r\nPage 2 of 4\n\nintel\r\nFigure 5: Encrypted (Top) and decrypted (bottom) configuration file\r\nIt is also important to note that while the loader component and the configuration file are located in the same\r\ndirectory (%windows%\\system32), the encrypted backdoor is located in a different directory (%Program\r\nFiles%\\Common Files\\System\\ado). This complex setup makes it harder to detect and remove all the backdoors,\r\nand is more effective at hiding any activities.\r\nThe complexity and the capabilities of these backdoors present a tough problem for the targeted organizations. It\r\nis a sophisticated attack that needs equally sophisticated security solutions.\r\nTrend Micro Solutions\r\nThe Lazarus group is an experienced organization, methodically evolving their tools and experimenting with\r\nstrategies to get past an organization’s defenses. The backdoors they are deploying are difficult to detect and a\r\nsignificant threat to the privacy and security of enterprises, allowing attackers to steal information, delete files,\r\ninstall malware, and more.\r\nThese and other tools used by the Lazarus group can be mitigated by routinely scanning the network for any\r\nmalicious activity to help prevent the malware from entering and spreading through an organization. In addition,\r\neducating employees and other key people in an organization on social engineering techniquesopen on a new tab\r\ncan allow them to identify what to look out for when it comes to malicious attacks.\r\nOther mitigation strategies include a multilayered approach to securing the organization’s perimeter, which\r\nincludes hardening the endpointsopen on a new tab and employing application controlproducts to help prevent\r\nmalicious applications and processes from being executed.\r\nTrend Micro endpoint solutions such as Trend Micro™ Smart Protection Suitesproducts and Worry-Free™\r\nBusiness Securityworry free services suites can protect users and businesses from these threats by detecting\r\nmalicious files and spammed messages as well as blocking all related malicious URLs. Trend Micro Deep\r\nDiscovery™products has an email inspection layer that can protect enterprises by detecting malicious attachments\r\nand URLs that could lead to malicious downloads.\r\nTrend Micro XGen™products security provides a cross-generational blend of threat defense techniques to protect\r\nsystems from all types of threats. It features high-fidelity machine learningopen on a new tab on gatewaysproducts\r\nand endpointsproducts, and protects physical, virtual, and cloud workloads. With capabilities like web/URL\r\nfiltering, behavioral analysis, and custom sandboxing, XGen security protects against today’s threats that bypass\r\ntraditional controls; exploit known, unknown, or undisclosed vulnerabilities; either steal or encrypt personally\r\nidentifiable data; or conduct malicious cryptocurrency mining. Smart, optimized, and connected, XGen security\r\npowers Trend Micro’s suite of security solutions: Hybrid Cloud Securityproducts, User Protectionproducts, and\r\nNetwork Defenseproducts.\r\nIndicators of Compromise\r\nCommand and Control Servers\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/\r\nPage 3 of 4\n\n107[.]172[.]195[.]20\r\n192[.]3[.]12[.]154\r\n46[.]21[.]147[.]161\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin\r\n-america/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/\r\nPage 4 of 4\n\nfrom the last byte intel and excluding the first byte \nFigure 4: The second step uses RC4, using the first 0x20 bytes from the result of the first step as the RC4 key\n Page 2 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE", "Malpedia" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/" ], "report_names": [ "lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434929, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5b01b4778595618ba9d1492b7555f58913fef863.pdf", "text": "https://archive.orkl.eu/5b01b4778595618ba9d1492b7555f58913fef863.txt", "img": "https://archive.orkl.eu/5b01b4778595618ba9d1492b7555f58913fef863.jpg" } }