North Korean hackers infiltrate the ATM network in Chile following an interview with Skype
Redbanc employee applied for a job with LinkedIn and received a call from the most active hacker crews in the world. A Skype call and a creditable employee were all that North Korean hackers needed to infiltrate the Redbanc computer network, the company that connects all Chilean banks ‘ ATM infrastructure.
The main suspects behind the hack are a hacker group known as the Lazarus Group (or Hidden Cobra), known to have associations with the Pyongyang regime, and known to have targeted banks, financial institutions and cryptocurrency exchanges in recent years.
The most recent attack by Lazarus took place at the end of December last year, but came to the public’s attention only after Chilean Senator which has direct links to the networks of all Chilean banks, formally admitted to the hack a day later in a message posted on its website.
One day after Redbanc’s admission, however, an investigation conducted by Chilean tech news site TrendTIC revealed that the financial firm was the victim of a serious cyberattack and could not easily be dismissed. The source of the hack was identified as a LinkedIn ad for a developer position in another company, to which one of the Redbanc employees applied, according to reporters.
The hiring company, believed to be a front for the operators of the Lazarus Group, who realized that they were baiting a big fish, approached the Redbanc employee for an interview in Spanish via a Skype call. TrendTIC reports that the Redbanc employee was asked during this interview to download, install and run a file called ApplicationPDF.exe, a program that would assist in the recruitment process and generate a standard application form.
ApplicationPDF.exe interface, but the file downloaded and installed PowerRatankba, a malware strain previously linked to Lazarus Group hacks, according to a Proofpoint report published in December 2017, according to an analysis of this executable by Vitali Kremez, director of research at Flashpoint.
Kremez said that the malware collected information about the working PC of the Redbanc employee and sent it back to a remote server. The information collected included the username, hardware and OS details of the PC, proxy settings, a list of current processes if the infected host had open RPC and SMB file shares and RDP connection status.
The information collected would have been able to tell the hackers what computer they were infected with and later decide whether they would like to deliver a second stage payload in the form of a more intrusive PowerShell.
The Redbanc incident is yet another example of how a worker who clicks the wrong link or runs the wrong file can cause a serious security breach and how a hacked PC or laptop can compromise a whole network.
Previously, according to an indictment by the US authorities, hackers of the Lazarus Group were accused of trying to steal money from the local Chilean bank Banco de Chile.