The alleged North Korean hacking group sometimes called “Hidden Cobra” used a previously unknown Adobe Flash exploit to gain access to Turkish financial institution systems last week, security firm McAfee says.
“We have found what may be an early data-gathering stage for future possible heists from financial organizations in Turkey (and possibly other countries),” says McAfee in a statement.
The organizations received targeted phishing emails including Word documents with embedded Flash code, which exploited a complex Flash vulnerability letting it run arbitrary commands. In this case, that allowed the hackers to install remotely controlled malware known as Bankshot, first reported by U.S. Department of Homeland Security and FBI officials in December.
“FBI has high confidence that Hidden Cobra actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation,” they said at the time.
Adobe has since fixed the Flash bug. Similar attacks were used in recent years in attacks on the SWIFT international funds transfer system, according to McAfee.
I wrote more last month about how the North Korean regime, perennially hard up for cash, has turned to online bank and digital currency heists, and even clandestine cryptocurrency mining, to raise funds. In February, for instance, a South Korean official blamed the North for stealing billions of won in cryptocurrency last year from South Korean exchanges, partly through malware-laden spear-phishing emails.