Evidence of Stronger Ties Between North Korea and SWIFT Banking Attacks

Five new additional pieces of malware code discovered that contain unique portions of code related to the the SWIFT attacks.

Recently, malware analysts at Symantec discovered two subroutines that were shared amongst North Korea’s Lazarus’ groups Operation Blockbuster malware and two samples of malware from the recent SWIFT attacks.

The shared subroutines are displayed as evidence to relate the SWIFT intrusion activity to the Lazarus group. Symantec’s analysis was utilized in the The New York Times story on May 27, 2016. Their findings supported a claim that these were the only two pieces of software with this shared code.

The Anomali Labs team has conducted deeper research into a very large malware data repository. This process utilized the yara signature below to search for the shared subroutines. At first, we believed it would produce a lot of false positives. Instead, this search not only failed to result in any false positives, but also turned up five other pieces of malware which share this code. We see this as a possible attribution of the Lazarus group attacks to other attacks that involved these same five pieces of malware code.

Malware FamilyMd5 hashNotes
SWIFT BanSwift5d0ffbc8389f27b0649696f0ef5b3cfeevchk.bat dropper
SWIFT Fake Foxit Reader0b9bf941e2539eaa34756a9e2c0d5343A Fake Foxit Reader submitted to Virustotal from Vietnam in December 2015 (similar sample detailed at
SMBWorm558b020ce2c80710605ed30678b6fd0cKnown North Korean Malware
Memory dump with SMBWorm96f4e767aa6bb1a1a5ab22e0662eec86 
Unknown “hkcmd” toolb0ec717aeece8d5d865a4f7481e941c51st Submitted from Canada, likely from an AV organization. 2016/04/22. PE Build Date of December 2010.
imkrmig.exe5a85ea837323554a0578f78f4e7febd8An unknown backdoor posing as a Korean sample of Microsoft Office 2007.

Table 1. Malware families and samples known to include the Lazarus Wipe File routine.

Our approach to code comparison was to utilize Position Independent Code function hashes to compare the samples against one another. This process utilizes cryptographic hash values derived from the instruction mnemonics within the binary code. By performing this comparison, we can see the direct overlap of these shared functions between the various samples.

Figure 1: The function overlap viewed from ae086350239380f56470c19d6a200f7d251c7422c7bc5ce74730ee8bab8e6283 as veiwed within IDAPro

Additionally, there are other function hashes (seven) that are shared amongst the Trojan.Filmis and various SWIFT-related malware samples. Anomali LABS is unsure of how rare these functions are at this point.

Investigative Process

We began by taking a look at the two subroutines that are reported to be unique by Symantec. We retrieved the API names and added those to a yara signature. In some cases, the APIs are MoveFileExA instead of MoveFileEx.

We then took a look at the code used. There is a small portion of code where a file name consisting of randomly generated lowercase letters is created. This was used as part of the criteria.

Using this criteria, we began a search of a large malware database starting on Thursday night. On Friday morning, we thought we’d be faced with a sea of false positives. But it only returned 10 matches! Four of those were known samples of the SWIFT malware, and one sample was a zip file that includes a known SWIFT sample. The other five samples are detailed above.


Additional Samples related to the SWIFT intrusions (ref:

Filename md5 AntiVirus Name
evtsys.exe 5d0ffbc8389f27b0649696f0ef5b3cfe BanSwift
evtdiag.exe 24d76abbc0a10e4c977a28b33c879248 BanSwift
nroff_b.exe 1d0e79feb6d7ed23eb1bf7f257ce4fee  BanSwift
gpca.dat f7272bb1374bf3af193ea1d1845b27fd  
mspdclr.exe 909e1b840909522fe6ba3d4dfd197d93BanSwift

Other previously known Lazarus Group samples:


rule AnomaliLABS_Lazarus_wipe_file_routine {
     author = "aaron shelmire"
     date = "2015 May 26"
     desc = “Yara sig to detect File Wiping routine of the Lazarus group”
     $rand_name_routine = { 99 B9 1A 00 00 00 F7 F9 80 C2 61 88 16 8A 46 01 46 84 C0 }
     /* imports for overwrite function */
     $imp_getTick = "GetTickCount"
     $imp_srand = "srand"
     $imp_CreateFile = "CreateFileA"
     $imp_SetFilePointer = "SetFilePointer"
     $imp_WriteFile = "WriteFile"
     $imp_FlushFileBuffers = "FlushFileBuffers"
     $imp_GetFileSizeEx = "GetFileSizeEx"
     $imp_CloseHandle = "CloseHandle"
     /* imports for rename function */
     $imp_strrchr = "strrchr"
     $imp_rand = "rand"
     $Move_File = "MoveFileA"
     $Move_FileEx = "MoveFileEx"
     $imp_RemoveDir = "RemoveDirectoryA"
     $imp_DeleteFile = "DeleteFileA"
     $imp_GetLastError = "GetLastError"
     $rand_name_routine and (11 of ($imp_*)) and ( 1 of ($Move_*))

Aaron Shelmire
About the Author

Aaron Shelmire

Aaron began work in the security field after machines he was responsible for were compromised in the 2004 Stakkato Intrusions. At this point he went to graduate school at Carnegie Mellon Universities Heinz College for Information Assurance, where he currently holds an adjunct position teaching Network Security Analysis. He has been a security researcher at the Software Engineering Institutes CERT/CC initiative and Dell SecureWorks, with a focus on responding to and analyzing threat intelligence.

Share this Post:
Register for a Free Anomali Account Register now