Cyber Incident Victim: Online casino in Central America
Date:
Apr 2018
Location:
Costa Rica
Summary
The North Korea-linked Lazarus APT group targeted an online casino in Central America using customized malware, including the KillDisk disk-wiper to destroy data, alongside credential-stealing tools like Mimikatz and remote access utilities such as Radmin and LogMeIn. Attackers deployed multiple backdoors, including Win64/NukeSped variants for command execution and session hijacking, mirroring prior campaigns against financial institutions in Poland, Mexico, and Latin America. The group leveraged administrative privileges to install malicious services, inject processes, and exfiltrate browser passwords, though the primary intent—whether sabotage, espionage, or extortion—remained unclear. Tools were recompiled specifically for this attack, reinforcing Lazarus's adaptive tradecraft.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early April 2018, ESET researchers uncovered a cyberattack targeting an online casino in Central America, attributing it to the North Korea-linked Lazarus APT group (also known as Hidden Cobra). The attackers deployed multiple custom tools consistent with Lazarus' historical tactics, including the Win64/NukeSped backdoor—a console application installed as a Windows service requiring administrator privileges. This backdoor implemented 20 commands mirroring functionality observed in previous Lazarus operations. Alongside this primary backdoor, attackers utilized a session hijacker variant designated Win64/NukeSped.AB, designed to create processes under other logged-in users' credentials on compromised systems. This specific hijacker had previously been observed in attacks against Polish financial institutions and Mexican entities. The intrusion involved credential theft through Mimikatz and leveraged legitimate remote administration tools Radmin 3 and LogMeIn for persistent access. Attackers employed malicious droppers and loaders to deploy their toolkit across victim systems.
The operation featured at least two distinct variants of the KillDisk disk-wiping malware, which exhibited technical differences from versions used in earlier Lazarus campaigns against Latin American financial institutions. While the exact intent behind KillDisk's deployment remained unclear—whether for sabotage, evidence destruction, or extortion—its presence alongside Lazarus-associated malware strengthened attribution. ESET noted the attackers systematically recompiled their tools for each operation, including this casino attack. Forensic analysis revealed additional utilities for process injection, service termination, file manipulation, and browser password extraction. The multi-tool infrastructure demonstrated Lazarus' continued focus on financial targets, expanding from prior bank heists like the Bangladesh Central Bank incident to gambling sector compromises. Technical overlaps with previous campaigns against Polish and Mexican targets confirmed toolset reuse, while the Central American casino attack highlighted the group's persistent refinement of their malware arsenal.