Since February 2020, North Korea has resumed targeting banks in multiple countries to initiate fraudulent international money transfers and ATM cash outs.
The recent resurgence follows a lull in bank targeting since late 2019.
This alert provides an overview of North Korea’s extensive, global cyber-enabled bank robbery scheme, a short profile of the group responsible for this activity, in-depth technical analysis, and detection and mitigation recommendations to counter this ongoing threat to the Financial Services sector.
The BeagleBoyz, an element of the North Korean government’s Reconnaissance General Bureau, have likely been active since at least 2014.
As opposed to typical cyber-crime, the group likely conducts well-planned, disciplined, and methodical cyber operations more akin to careful espionage activities. Their malicious cyber operations have netted hundreds of millions of U.S. dollars and are likely a major source of funding for the North Korean regime.
The group has always used a calculated approach, which allows them to sharpen their tactics, techniques, and procedures while evading detection. Over time, their operations have become increasingly complex and destructive. The tools and implants employed by this group are consistently complex and demonstrate a strong focus on effectiveness and operational security.
The BeagleBoyz overlap to varying degrees with groups tracked by the cybersecurity industry as: APT38 (FireEye), Bluenoroff (Kaspersky), Lazarus Group (ESTSecurity), and Stardust Chollima (CrowdStrike).
The BeagleBoyz likely have targeted financial institutions in the following nations from 2015 through 2020: Argentina, Brazil, Bangladesh, Bosnia and Herzegovina, Bulgaria, Chile, Costa Rica, Ecuador, Ghana, India, Indonesia, Japan, Jordan, Kenya, Kuwait, Malaysia, Malta, Mexico, Mozambique, Nepal, Nicaragua, Nigeria, Pakistan, Panama, Peru, Philippines, Singapore, South Africa, South Korea, Spain, Taiwan, Tanzania, Togo, Turkey, Uganda, Uruguay, Vietnam, and Zambia.
The BeagleBoyz may use malware like ECCENTRICBANDWAGON to log key strokes and take screen captures.
The U.S. Government has identified some ECCENTRICBANDWAGON samples that have the ability to RC4 encrypt logged data, but the tool has no network functionality. The implant uses specific formatting for logged data and saves the file locally; another tool obtains the logged data. The implant also contains no mechanism for persistence or self-loading and expects a specific configuration file to be present on the system. A full technical report for ECCENTRICBANDWAGON is available at https://us-cert.cisa.gov/northkorea.
Read more here at FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks.
Help a USAF Veteran by clicking here.
- BLM Leader Threatens To ‘Rip’ Trump From White House, Calls For Revolution (Video)
- Sit-In at Mayor Ted Wheeler’s Condo: Leftists Will Turn on You
- Senator Rand Paul Accosted by Mob After Trump Speech
- Minneapolis Looting After Homicide Suspect Kills Himself
- Video: BLM Terrorists Attempt to Murder Seattle Police Officers By Burning Them Alive
If you haven’t checked out and liked our Facebook page, please go here and do so. You can also follow us on Twitter at @co_firing_line. Facebook, Google and other members of the Silicon Valley Axis of Evil are now doing everything they can to deliberately stifle conservative content online, so please be sure to check out our MeWe page here, and check us out at ProAmerica Only.
Also, check out All-encompassing news and press releases pertaining to U.S. Law Enforcement, U.S. Military, and Terrorism from around the world at Law Enforcement, Military, and Terrorism News.