{ "id": "ceb40d21-b9ef-45a7-8181-2d42b1cfe7ae", "created_at": "2026-04-06T00:13:58.955454Z", "updated_at": "2026-04-10T13:11:31.155243Z", "deleted_at": null, "sha1_hash": "fb28e1fff3672ea790048ce42a9f5917c72be7aa", "title": "Evidence of Stronger Ties Between North Korea and SWIFT Banking Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3820546, "plain_text": "Evidence of Stronger Ties Between North Korea and SWIFT\r\nBanking Attacks\r\nBy Aaron Shelmire\r\nPublished: 2026-03-12 · Archived: 2026-04-05 18:43:00 UTC\r\nEvidence of stronger ties between North Korea and SWIFT-focused banking attacks, with analysis of tactics,\r\ntargeting, and defensive recommendations.\r\nhttps://www.anomali.com/blog/evidence-of-stronger-ties-between-north-korea-and-swift-banking-attacks\r\nPage 1 of 6\n\nFive new additional pieces of malware code discovered that contain unique portions of code related to the\r\nthe SWIFT attacks.\r\nRecently, malware analysts at Symantec discovered two subroutines that were shared amongst North Korea’s\r\nLazarus’ groups Operation Blockbuster malware and two samples of malware from the recent SWIFT attacks.\r\nThe shared subroutines are displayed as evidence to relate the SWIFT intrusion activity to the Lazarus group.\r\nSymantec’s analysis was utilized in the The New York Times story on May 27, 2016. Their findings supported a\r\nclaim that these were the only two pieces of software with this shared code.\r\nhttps://www.anomali.com/blog/evidence-of-stronger-ties-between-north-korea-and-swift-banking-attacks\r\nPage 2 of 6\n\nThe Anomali Labs team has conducted deeper research into a very large malware data repository. This process\r\nutilized the yara signature below to search for the shared subroutines. At first, we believed it would produce a lot\r\nof false positives. Instead, this search not only failed to result in any false positives, but also turned up five other\r\npieces of malware which share this code. We see this as a possible attribution of the Lazarus group attacks to other\r\nattacks that involved these same five pieces of malware code.\r\nMalware\r\nFamily\r\nMd5 hash Notes\r\nSWIFT\r\nBanSwift\r\n5d0ffbc8389f27b0649696f0ef5b3cfe evchk.bat dropper\r\nSWIFT Fake\r\nFoxit Reader\r\n0b9bf941e2539eaa34756a9e2c0d5343\r\nA Fake Foxit Reader submitted to Virustotal from\r\nVietnam in December 2015 (similar sample\r\ndetailed at https://blogs.mcafee.com/mcafee-labs/attacks-swift-banking-system-benefit-insider-knowledge/)\r\nSMBWorm 558b020ce2c80710605ed30678b6fd0c Known North Korean Malware\r\nMemory\r\ndump with\r\nSMBWorm\r\n96f4e767aa6bb1a1a5ab22e0662eec86  \r\nUnknown\r\n“hkcmd” tool\r\nb0ec717aeece8d5d865a4f7481e941c5\r\n1st Submitted from Canada, likely from an AV\r\norganization. 2016/04/22. PE Build Date of\r\nDecember 2010.\r\nimkrmig.exe 5a85ea837323554a0578f78f4e7febd8\r\nAn unknown backdoor posing as a Korean\r\nsample of Microsoft Office 2007.\r\nTable 1. Malware families and samples known to include the Lazarus Wipe File routine.\r\nOur approach to code comparison was to utilize Position Independent Code function hashes to compare the\r\nsamples against one another. This process utilizes cryptographic hash values derived from the instruction\r\nmnemonics within the binary code. By performing this comparison, we can see the direct overlap of these shared\r\nfunctions between the various samples.\r\nFigure 1: The function overlap viewed from\r\nae086350239380f56470c19d6a200f7d251c7422c7bc5ce74730ee8bab8e6283 as veiwed within IDAPro\r\nAdditionally, there are other function hashes (seven) that are shared amongst the Trojan.Filmis and various\r\nSWIFT-related malware samples. Anomali LABS is unsure of how rare these functions are at this point.\r\nInvestigative Process\r\nhttps://www.anomali.com/blog/evidence-of-stronger-ties-between-north-korea-and-swift-banking-attacks\r\nPage 3 of 6\n\nWe began by taking a look at the two subroutines that are reported to be unique by Symantec. We retrieved the API\r\nnames and added those to a yara signature. In some cases, the APIs are MoveFileExA instead of MoveFileEx.\r\nWe then took a look at the code used. There is a small portion of code where a file name consisting of randomly\r\ngenerated lowercase letters is created. This was used as part of the criteria.\r\nUsing this criteria, we began a search of a large malware database starting on Thursday night. On Friday\r\nmorning, we thought we’d be faced with a sea of false positives. But it only returned 10 matches! Four of those\r\nwere known samples of the SWIFT malware, and one sample was a zip file that includes a known SWIFT sample.\r\nThe other five samples are detailed above.\r\nAppendix\r\nAdditional Samples related to the SWIFT intrusions (ref: http://baesystemsai.blogspot.com/2016/04/two-bytes-to-951m.html)\r\nFilename md5 AntiVirus Name\r\nevtsys.exe 5d0ffbc8389f27b0649696f0ef5b3cfe BanSwift\r\nevtdiag.exe 24d76abbc0a10e4c977a28b33c879248 BanSwift\r\nnroff_b.exe 1d0e79feb6d7ed23eb1bf7f257ce4fee  BanSwift\r\ngpca.dat f7272bb1374bf3af193ea1d1845b27fd  \r\nmspdclr.exe 909e1b840909522fe6ba3d4dfd197d93 BanSwift\r\nOther previously known Lazarus Group samples:\r\n138464214c78a73e3714d784697745acbf692ef40419d31418e4018e752cb92b\r\nbdcfa3b6ca6b351e76241bca17e8f30cc8f35bed0309cee91966be9bd01cb848\r\nddebee8fe97252203e6c943fb4f9b37ade3d5fefe90edba7a37e4856056f8cd6\r\n4d4b17ddbcf4ce397f76cf0a2e230c9d513b23065f746a5ee2de74f447be39b9\r\ne2ecec43da974db02f624ecadc94baf1d21fd1a5c4990c15863bb9929f781a0a\r\neff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55\r\nf6cb8343444771c3d03cc90e3ac5f76ff9a4cb9cd41e65c3b7f52b38b20c0c27\r\nrule AnomaliLABS_Lazarus_wipe_file_routine {\r\n meta:\r\n     author = \"aaron shelmire\"\r\n     date = \"2015 May 26\"\r\n     desc = “Yara sig to detect File Wiping routine of the Lazarus group”\r\n strings:\r\n     $rand_name_routine = { 99 B9 1A 00 00 00 F7 F9 80 C2 61 88 16 8A 46 01 46 84 C0 }\r\n     /* imports for overwrite function */\r\n     $imp_getTick = \"GetTickCount\"\r\nhttps://www.anomali.com/blog/evidence-of-stronger-ties-between-north-korea-and-swift-banking-attacks\r\nPage 4 of 6\n\n$imp_srand = \"srand\"\r\n     $imp_CreateFile = \"CreateFileA\"\r\n     $imp_SetFilePointer = \"SetFilePointer\"\r\n     $imp_WriteFile = \"WriteFile\"\r\n     $imp_FlushFileBuffers = \"FlushFileBuffers\"\r\n     $imp_GetFileSizeEx = \"GetFileSizeEx\"\r\n     $imp_CloseHandle = \"CloseHandle\"\r\n     /* imports for rename function */\r\n     $imp_strrchr = \"strrchr\"\r\n     $imp_rand = \"rand\"\r\n     $Move_File = \"MoveFileA\"\r\n     $Move_FileEx = \"MoveFileEx\"\r\n     $imp_RemoveDir = \"RemoveDirectoryA\"\r\n     $imp_DeleteFile = \"DeleteFileA\"\r\n     $imp_GetLastError = \"GetLastError\"\r\ncondition:\r\n     $rand_name_routine and (11 of ($imp_*)) and ( 1 of ($Move_*))\r\n}\r\nIran’s IRGC Names Western Tech Giants as “Legitimate Targets”: What CISOs Must Do Now\r\nhttps://www.anomali.com/blog/evidence-of-stronger-ties-between-north-korea-and-swift-banking-attacks\r\nPage 5 of 6\n\nWhen 766 Systems Fall in 24 Hours: The Threats Bearing Down on State Government Networks\r\nThe Iran Cyber Threat Machine Isn’t Slowing Down — Here’s What CISOs Need to Know Now\r\nSource: https://www.anomali.com/blog/evidence-of-stronger-ties-between-north-korea-and-swift-banking-attacks\r\nhttps://www.anomali.com/blog/evidence-of-stronger-ties-between-north-korea-and-swift-banking-attacks\r\nPage 6 of 6\n\n https://www.anomali.com/blog/evidence-of-stronger-ties-between-north-korea-and-swift-banking-attacks \nWhen 766 Systems Fall in 24 Hours: The Threats Bearing Down on State Government Networks\nThe Iran Cyber Threat Machine Isn’t Slowing Down-Here’s What CISOs Need to Know Now\nSource: https://www.anomali.com/blog/evidence-of-stronger-ties-between-north-korea-and-swift-banking-attacks \n Page 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.anomali.com/blog/evidence-of-stronger-ties-between-north-korea-and-swift-banking-attacks" ], "report_names": [ "evidence-of-stronger-ties-between-north-korea-and-swift-banking-attacks" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434438, "ts_updated_at": 1775826691, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fb28e1fff3672ea790048ce42a9f5917c72be7aa.pdf", "text": "https://archive.orkl.eu/fb28e1fff3672ea790048ce42a9f5917c72be7aa.txt", "img": "https://archive.orkl.eu/fb28e1fff3672ea790048ce42a9f5917c72be7aa.jpg" } }