Threat Coverage

Aug 27, 2020

SafeBreach Hacker’s Playbook Updated for US-CERT Alert (AA20-239A) FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks

SafeBreach Labs has updated the Hacker’s Playbook™ with new attack methods for malware samples described in US-CERT FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks which addresses yet another serious attack from the Democratic People’s Republic of Korea (DPRK). The BeagleBoyz is identified as a new Threat Group, which is made up of Lazarus Group and APT38 that specifically targets Financial Institutions. The attack is focused on financial gain by accessing bank accounts to steal money from ATMs and also through SWIFT to transfer funds.

The North Korean threat groups are notorious for devastating attacks, including the infamous WannaCry attack in 2017 from Lazarus Group, the attack against Sony Pictures in 2014 in retaliation for ‘The Interview’ film by Guardians of Peace, and the Bangladesh Bank Heist in 2016 where \$81 million was stolen via the SWIFT network, among others. SafeBreach Labs has been tracking their progress and updating the SafeBreach Hacker’s Playbook throughout the years.

Here is an overview SafeBreach Hacker’s Playbook timeline based on US-Cert Alert updates only:

Similar to most DPRK attacks, the BeagleBoyz uses numerous TTPs and malware samples, most of which are already covered in the SafeBreach Hacker’s Playbook. The new attack methods have been added based on this latest US-CERT Alert.

CROWDEDFLOUNDER

Existing Coverage

5 attack methods already covered

ECCENTRICBANDWAGON

New Coverage

#5413 – Write ar20-239a malware to disk (Host-Level)

#5414 – Transfer of ar20-239a malware over HTTP/S (Lateral Movement)

#5415 – Transfer of ar20-239a malware over HTTP/S (Infiltration)

#5416 – Email ar20-239a malware as a ZIP attachment (Lateral Movement)

#5417 – Email ar20-239a malware as a ZIP attachment (Infiltration)

#5429 – Pre-execution phase of aa20-239a_FASTCash_MSIL_exe malware (Host-Level)

#5430 – Write aa20-239a_FASTCash_MSIL_exe malware to disk (Host-Level)

#5431 – Transfer of aa20-239a_FASTCash_MSIL_exe malware over HTTP/S (Lateral Movement)

#5432 – Transfer of aa20-239a_FASTCash_MSIL_exe malware over HTTP/S (Infiltration)

#5433 – Email aa20-239a_FASTCash_MSIL_exe malware as a ZIP attachment (Lateral Movement)

#5434 – Email aa20-239a_FASTCash_MSIL_exe malware as a ZIP attachment (Infiltration)

ELECTRICFISH

Existing Coverage

7 attack methods already covered

FASTCash

Existing Coverage

5 existing attack methods already covered

New coverage

  • #5402 – Write ar20-239c malware to disk (Host-Level)
  • #5403 – Transfer of ar20-239c malware over HTTP/S (Lateral Movement)
  • #5404 – Transfer of ar20-239c malware over HTTP/S (Infiltration)
  • #5405 – Email ar20-239c malware as a ZIP attachment (Lateral Movement)
  • #5406 – Email ar20-239c malware as a ZIP attachment (Infiltration)
  • #5418 – Write aa20-239a_FASTCash malware to disk (Host-Level)
  • #5419 – Transfer of aa20-239a_FASTCash malware over HTTP/S (Lateral Movement)
  • #5420 – Transfer of aa20-239a_FASTCash malware over HTTP/S (Infiltration)
  • #5421 – Email aa20-239a_FASTCash malware as a ZIP attachment (Lateral Movement)
  • #5422 – Email aa20-239a_FASTCash malware as a ZIP attachment (Infiltration)
  • #5423 – Pre-execution phase of aa20-239a_FASTCash_exe malware (Host-Level)
  • #5424 – Write aa20-239a_FASTCash_exe malware to disk (Host-Level)
  • #5425 – Transfer of aa20-239a_FASTCash_exe malware over HTTP/S (Lateral Movement)
  • #5426 – Transfer of aa20-239a_FASTCash_exe malware over HTTP/S (Infiltration)
  • #5427 – Email aa20-239a_FASTCash_exe malware as a ZIP attachment (Lateral Movement)
  • #5428 – Email aa20-239a_FASTCash_exe malware as a ZIP attachment (Infiltration)

HOPLIGHT

Existing Coverage

23 existing attack methods already covered

VIVACIOUSGIFT

New Coverage

  • #5407 – Pre-execution phase of ar20-239b-MAR-10301706-2 malware (Host-Level)
  • #5408 – Write ar20-239b-MAR-10301706-2 malware to disk (Host-Level)
  • #5409 – Transfer of ar20-239b-MAR-10301706-2 malware over HTTP/S (Lateral Movement)
  • #5410 – Transfer of ar20-239b-MAR-10301706-2 malware over HTTP/S (Infiltration)
  • #5411 – Email ar20-239b-MAR-10301706-2 malware as a ZIP attachment (Lateral Movement)
  • #5412 – Email ar20-239b-MAR-10301706-2 malware as a ZIP attachment (Infiltration)

Looking back at North Korean attacks on financial institutions BeagleBoyz could be attributed to cyber-enabled financial theft and money laundering, extortion campaigns, and cryptojacking. It is clear they are attacking for financial gain, with estimated thefts of \$2 billion to date.

What you want to do

The new attack methods for US-CERT AA20-239A are already in the SafeBreach Hacker’s Playbook and ready to be run across your simulators. The Known Attack Series report is being updated so you can run specifically the attacks from this US-CERT alert. From the Known Attack Series report, select the US-CERT Alert AA20-239A (FastCash 2.0) report and select Run Simulations which will run all the attack methods.

Get the latest
research and news