Ever sent or received a file through Skype? One Chilean employee (a supposedly trusted IT professional) working for the company Redbanc messed up big time when he decided to go job searching — on company time – and took part in a staged “job interview” via Skype. An employee (who’s name, as far as I am aware, has not been disclosed to the public) was looking around at jobs back in December while he was at work for Redbanc. Redbanc is the company in charge of ATM processing services for the majority of ATM machines in the country of Chile, and has connections with every single Chilean bank as well. This employee found a position on LinkedIn that looked promising to them and they contacted the “company” thinking they were going to take part in a virtual job interview via Skype. The hackers behind the fake LinkedIn replied, and the employee then took place in the staged interview. The interview started out as a fake conversation between the employee and the hacker(s), and then turned to a point in which the hacker(s) asked the employee to fill out a fake application. The way that the hackers delivered said application to the employee was via Skype’s file transfer system. Without hesitation, the employee downloaded the file (ApplicationPDF.exe) onto their Windows 7 work computer through Skype and opened it. A fake pdf was brought up for the employee to fill out, as malicious code executed in the background, giving the hackers access to the entire network and processing system of every single ATM machine in Chile.
The hacker group that claimed responsibility for this attack is known as the Lazarus Group (AKA Hidden Cobra, or Kimsuky). The Lazarus Group is the hacker group that claimed responsibility for the Sony hack back in 2014, and the WannaCry ransomware that infected an estimated 230,000 computers in 2017. The security firm Flashpoint confirmed that the attack carried out by the Lazarus Group utilized a toolkit called “PowerRatankba” which has supposed links to North Korean hackers known as “Bureau 121” (121국). The program is written in Visual Basic, and when opened, resembles a legitimate-looking application for a user to fill out. The malware itself actually has a second payload. After the user downloads the malicious file and runs it, the malware will create a connection to a server to call to the second payload and download a Powershell reconnaissance tool. This allows the hackers to basically control the compromised computer system at their will. The next task for the malware is to call to the server and ensure a connection is made, (in this case via HTTPS) and then delete the Powershell script afterwards. Then PowerRatankba will scrape the PC for as much information as it can obtain, including; which user is currently logged into Windows on the machine and their UAC level, the processlist, proxy settings on the machine, checks for open file shares and Remote Desktop Protocol ports in an attempt to find open ports. If the user logged into the computer does have admin rights, PowerRatankba will attempt to download yet another payload from their server which allows the hackers more leverage over the system.
Below is a picture of the GUI that is shown to the user when the executable is open (provided by Flashpoint):
The infiltration itself actually took place in December, but was not publicized until Chilean Senator Felipe Harboe blasted the company Redbanc on Twitter for not disclosing their breach to the public. Redbanc then acknowledged the infiltration, but did not disclose more information to the public. This attack would not have happened if there had not been an incompetent employee who decided to download a suspicious file via Skype onto their work computer to partake in a “job interview”.
(For more information on the virus itself visit here or here.)