Hidden Cobra, a threat group linked to North Korea, has turned its interest to the financial institutions in Turkey. McAfee reported finding malware (known as Bankshot) associated with the group surfacing on systems belonging to three large financial organizations and at least two of major government-controlled entities involved in finance and trade in Turkey. The malware is designed to persist on compromised systems for further exploits. Stated by McAfee, this suggests that Hidden Cobra is trying to gather specific information that can be used to launch more attacks.
The FBI and the US Department of Homeland Security has described the group having a wide range of attack tools at its disposal. This includes: denial-of-service botnets, wiper malware, and remote access Trojans. The attacker’ tool choice, Bankshot, was also used in a Korean bank attack and in banks in Latin America. McAfee’s investigation showed that Bankshot implants were distributed via phishing emails. The emails contained a malicious word document with an embedded exploit for a recently disclosed Adobe Flash vulnerability.