This Group Attacked Over 100 Financial Organizations Across 31 Countries With “Watering Hole” Technique


Ratankba malware watering holeThe security researchers at Symantec revealed the cyber criminal group and the attack vector that attacked over 100 organizations in 31 different countries. The researchers believe that recent cyber attacks against global banks and financial institutions could be the work of the Lazarus group.

Global banks and financial institutions in 31 countries have been targeted in a new series of attacks which has been underway since October last year by an unknown attacker. The attacks were highlighted when a bank in Poland discovered an unknown malware running on a number of its computers.

Watering Hole technique employed

The hackers are believed to have employed “watering hole” techniques to infect predetermined targets with previously unknown strains of malwareThe watering hole technique involves hackers leveraging one common gateway to attack multiple organizations.

104 different organizations targeted

The attackers appear to be using compromised websites or “watering hole” to redirect visitors to a customized exploit kit, which is preconfigured to only infect visitors from approximately 150 different IP addresses. These IP addresses belong to the targeted 104 different organizations. 


Figure 1. Countries in which three or more organizations were targeted by attackers

The Banks and financial organizations remained the top target of this “watering hole” attack, with a small number of telecoms and internet firms also on the list.

Once the users visit the “watering hole”, the users are redirected to exploit kit which leverage Silverlight Flash exploits to infect targets’ systems with malware.

Ratankba malware used in the campaign

The previously unknown malware was later dubbed as Ratankba. Ratankba malware shares several coding similarities with malware previously used by the Lazarus group in the different wave of attacks.

Talking about the malware used, the researchers asserted that the malware (Downloader.Ratankba) was previously unidentified, although it was detected by using generic detection signatures.

The malware was observed contacting command and control (C&C) server at eye-watch[.]in and sap.misapor[.]ch. Ratankba was then observed downloading a Hacktool from command & control server. 

The Hacktool shows many distinguishing characteristics that were found similar to malware previously associated with Lazarus group.

However, motives of the attackers are still unknown which may be disclosed once the investigation completes, says Symantec Research Team.  

Lazarus has been involved in high-level financial attacks since 2009, largely focused on targets in the US and South Korea. The North Korea-linked hacker group has widely being considered behind the Sony hack and other more recent attacks against financial institutions.