Alert: North Korea’s BeagleBoyz Global Cyber-enabled Bank Robbery Schemes


Since February 2020, North Korea has resumed targeting banks in multiple countries to initiate fraudulent international money transfers and ATM cash outs.

The recent resurgence follows a lull in bank targeting since late 2019.

This alert provides an overview of North Korea’s extensive, global cyber-enabled bank robbery scheme, a short profile of the group responsible for this activity, in-depth technical analysis, and detection and mitigation recommendations to counter this ongoing threat to the Financial Services sector.

The BeagleBoyz, an element of the North Korean government’s Reconnaissance General Bureau, have likely been active since at least 2014.

As opposed to typical cyber-crime, the group likely conducts well-planned, disciplined, and methodical cyber operations more akin to careful espionage activities. Their malicious cyber operations have netted hundreds of millions of U.S. dollars and are likely a major source of funding for the North Korean regime.

The group has always used a calculated approach, which allows them to sharpen their tactics, techniques, and procedures while evading detection. Over time, their operations have become increasingly complex and destructive. The tools and implants employed by this group are consistently complex and demonstrate a strong focus on effectiveness and operational security.

The BeagleBoyz overlap to varying degrees with groups tracked by the cybersecurity industry as: APT38 (FireEye), Bluenoroff (Kaspersky), Lazarus Group (ESTSecurity), and Stardust Chollima (CrowdStrike).

The BeagleBoyz likely have targeted financial institutions in the following nations from 2015 through 2020: Argentina, Brazil, Bangladesh, Bosnia and Herzegovina, Bulgaria, Chile, Costa Rica, Ecuador, Ghana, India, Indonesia, Japan, Jordan, Kenya, Kuwait, Malaysia, Malta, Mexico, Mozambique, Nepal, Nicaragua, Nigeria, Pakistan, Panama, Peru, Philippines, Singapore, South Africa, South Korea, Spain, Taiwan, Tanzania, Togo, Turkey, Uganda, Uruguay, Vietnam, and Zambia.

The BeagleBoyz may use malware like ECCENTRICBANDWAGON to log key strokes and take screen captures.

The U.S. Government has identified some ECCENTRICBANDWAGON samples that have the ability to RC4 encrypt logged data, but the tool has no network functionality. The implant uses specific formatting for logged data and saves the file locally; another tool obtains the logged data. The implant also contains no mechanism for persistence or self-loading and expects a specific configuration file to be present on the system. A full technical report for ECCENTRICBANDWAGON is available at https://us-cert.cisa.gov/northkorea.

Read more here at FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks.

Trending: Say what? Joe Biden promises to mobilize ‘trunalimunumaprzure’ — Seriously (Video)

Help a USAF Veteran by clicking here.

Related:

If you haven’t checked out and liked our Facebook page, please go here and do so.  You can also follow us on Twitter at @co_firing_line.  Facebook, Google and other members of the Silicon Valley Axis of Evil are now doing everything they can to deliberately stifle conservative content online, so please be sure to check out our MeWe page here, and check us out at ProAmerica Only.

If you appreciate independent conservative reports like this, please go here and support us on Patreon and get your conservative pro-Trump gear here.

While you’re at it, be sure to check out our friends at Whatfinger News, the Internet’s conservative front-page founded by ex-military!And be sure to check out our friends at Trending Views:

Trending ViewsAlso, check out All-encompassing news and press releases pertaining to U.S. Law Enforcement, U.S. Military, and Terrorism from around the world at Law Enforcement, Military, and Terrorism News.