Lazarus APT Collaborates with Trickbot’s Anchor Project

An unprecedented connection between the North Korean APT and the crimeware giant spells trouble for global banks and other cybercrime targets.

Researchers have found evidence of a link between global crimeware organization Trickbot and North Korean APT group Lazarus, observing direct collaboration via an all-in-one attack framework developed by Trickbot called Anchor Project.

The move appears to be the first time an APT group has aligned itself with a major force in crimeware, which has significant national security implications in the United States and spells trouble for Lazarus targets, which already have included some top multinationals, researchers said.

A security team led by Vitali Kremez, leader of SentinelLabs — the research arm of endpoint security firm SentinelOne — discovered Anchor Project tools being used to deploy malware associated with the North Korean regime, showing an unprecedented link between the two groups, researchers said. They published a report online about their findings Wednesday.

Specifically, researchers identified that the tool “PowerRatankba,” previously linked to Lazarus, was delivered to an infected Anchor Project victim, with evidence showing that the APT group’s toolkit itself was loaded via the Anchor Project.

“The ability to seamlessly integrate the APT into a monetization business model is evidence of a quantum shift,” researchers wrote in the report. “By accomplishing this integration, Trickbot overtly demonstrates that they have achieved a qualitatively new level of a cybercrime enterprise, which was never seen before in magnitude and complexity.”

Both Trickbot and Lazarus are formidable cybercrime groups in their own right. Trickbot was developed in 2016 as a banking malware, but has developed into a “a flexible, universal, module-based crimeware solution,” that’s evolved “to specifically attack corporations,” researchers said.

Indeed, Trickbot tools have evolved to add tools for harvesting desktop application credentials and performing stealthy code injection, among other new capabilities, that help the cybercriminals perform their various nefarious activities.

The partnership seems a no-brainer for Lazarus, whose specialty also seems to be attacking and defrauding corporations. The APT is the one behind the highly destructive WannaCry attack that caused millions of dollars of economic damage in 2017, as well as mounting a high-profile attack against Sony Pictures Entertainment in 2014. It even has spawned a spinoff group, the entire mission of which is to steal money from banks to fund Lazarus’ cybercriminal operations.

It’s that latter aim that seems to be a key reason Lazarus and Trickbot hooked up, researchers said. Trickbot already includes a powerful trojan that targets U.S. banks. And while most APT groups aim to establish persistence in an organization’s system to perform long-term espionage, surveillance and data exfiltration, Lazarus also has the task of funding the North Korean regime and its own activities, and  Trickbot is a good path to monetization, researchers said.

Indeed, the Anchor Project combines this one-two punch of cyberthreat activities into one package, which makes it an obvious fit for other APTs like Lazarus aimed at doing both, researchers said.

“Logically, this tool will be a very tempting acquisition for high-profile, possibly nation-state groups,” researchers wrote. “However, the Anchor is also be used for large cyber-heists and point-of-sale card theft operations leveraging its custom card-scraping malware. Among the nation-state groups, only a few are interested in both data collection and financial gain, and one of them is Lazarus.”

Free Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.

Suggested articles