What Is Hidden Cobra? North Korean Hackers Tied to New Bank Cyberattacks

North Korean hackers are using an advanced form of malware in fresh attacks on banks, a new research report from security firm McAfee has revealed.

According to the U.S. government, the state-sponsored cyber unit, codenamed Hidden Cobra, targets telecoms and financial institutions using sophisticated tools known as Bankshot, Badcall and Hardrain and Fallchill. It has links to previous attacks on SWIFT, the transfer network which connects more than 10,000 banks.

As U.S. president Donald Trump touts an upcoming meeting with North Korea's ruler Kim Jong-un, research shows that Hidden Cobra is in the "data-gathering stage" for future heists on major financial organizations. The regime has been known to target casinos and bitcoin exchanges to fund its illicit activities.

North Korea
This undated photo released by North Korea's official Korean Central News Agency (KCNA) on August 26, 2017 shows North Korean leader Kim Jong-Un (C) presiding over a target strike. STR/AFP/Getty Images

The latest hacking campaign uses a booby-trapped Microsoft Word document and exploits vulnerabilities in Adobe Flash, a widely-used piece of computer software.

The malware in this case, Bankshot, spreads via email phishing and McAfee believes the most recent infections are, at this point, being targeted against institutions in Turkey. But the attacks could quickly spread, experts warned.

"The implant's first target was a major government-controlled financial organization," Ryan Sherstobitoff, a researcher from McAfee's Advanced Threat Research team, wrote in a blog post published on Thursday. "It next appeared in another Turkish government organization involved in finance and trade.

"The implant does not conduct financial transactions; rather it is a channel into the victim's environment, in which further stages of implants can be deployed for financial reconnaissance. The Bankshot implant was also observed in 2017 in documents appearing to come from Latin American banks. These connections, combined with the implant's nearly identical appearance to known variants, are a strong indication that we have uncovered a Hidden Cobra attack."

The Bankshot implant had the ability to wipe files and content from the targeted system to erase evidence and perform "destructive" actions, McAfee discovered. The Word file posed as relating to a bitcoin exchange, titled Agreement.docx.

President Donald Trump listens during a meeting with bipartisan members of Congress at the Cabinet Room of the White House on February 28 in Washington, D.C. Alex Wong/Getty Images

U.S CERT, which deals with cybersecurity issues, said in a report last year that Hidden Cobra had been active since at least 2009.

It is also known as the Lazarus Group, which multiple cybersecurity companies have tied to the infamous 2014 Sony Pictures hack and the "WannaCry" global ransomware outbreak. It was linked to the infiltration of the Bangladesh central bank, an attack which successfully stole a whopping $81 million by tampering with SWIFT.

Capabilities used by Hidden Cobra include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware," the U.S CERT analysis revealed. Recently, the state hackers have allegedly been focused on stealing bitcoin and cryptocurrencies, especially from South Korea.

In January 2018, Japan-based security firm Trend Micro said in a report that the North Korean unit has "spin off" teams dubbed Bluenoroff and Andariel. "Few cybercrime groups throughout history have had as much disruptive power and lasting impact as the Lazarus Group," the company's analysis concluded.