Cyber Incident Victim: Redbanc
Date:
Dec 2018
Location:
Chile
Summary
A Chilean interbank network was compromised through a social engineering attack where an IT professional unknowingly executed malware after engaging with a fake job offer distributed via social media. The malware, identified as PowerRatankba and linked to the North Korea-associated Lazarus group, deployed reconnaissance tools to gather system information, assess network configurations, and establish communication with a command server. The intrusion did not disrupt operations or services, as the threat was contained post-detection. The attack leveraged a malicious dropper disguised as a job application form to deliver PowerShell-based payloads, utilizing encryption and credential harvesting to evade detection while targeting financial infrastructure in Latin America.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In December 2018, Chilean interbank network Redbanc suffered a cyber intrusion involving the deployment of PowerRatankba malware, a toolkit associated with the North Korea-linked Lazarus APT group. The compromise began when a Redbanc IT professional responded to a fraudulent job posting on social media. The attacker, posing as a recruiter, contacted the employee and conducted a Skype interview in Spanish, ultimately tricking the individual into executing a malicious payload. The malware installer, disguised as a job application form, was delivered without triggering antivirus detection. Analysis revealed the dropper was a .NET-compiled executable with a compilation timestamp of October 31, 2018, which downloaded a PowerShell reconnaissance tool from a remote server. The PowerRatankba malware employed Base64 and Rijndael encryption with the password "PowershellAgent" to decode its scripts, then systematically gathered system intelligence through Windows Management Instrumentation (WMI) queries for network configurations, operating system details, logged-in users, and process lists. It additionally scanned for open ports including SMB (445), RPC (139), and RDP (3389), logging results to c:\windows\temp\tmp0914.tmp while displaying debug messages like "Generating UDID" and "Sending Baseinfo to server" during execution.
Redbanc confirmed the malware was contained within its corporate network and mitigated before impacting operations, services, or infrastructure. Forensic analysis linked the attack to Lazarus based on the PowerRatankba toolkit, which aligns with the group’s history of financially motivated campaigns against Latin American financial institutions. The intrusion exemplified Lazarus’s operational pattern of leveraging social engineering via trusted channels, including social media recruitment lures and simulated professional interactions. Lazarus, also known as Hidden Cobra and Kimsuky, operates under North Korea’s RGB Bureau 121 and has targeted global financial entities since at least 2009. The group’s toolkits demonstrate advanced capabilities in credential harvesting, network reconnaissance, and persistence mechanisms. No data exfiltration or financial losses were publicly attributed to the Redbanc incident, though the compromise highlighted ongoing risks to financial sector networks from state-aligned threat actors employing tailored social engineering tactics.