The McAfee Advanced Threat Research team identified an attempt by the hacking group Hidden Cobra to breach the security of Turkish government-backed financial institutions on March 2 and 3.
While McAfee policy is to not officially identify cyber groups from nation-states as culprits, they mention in the report that the code of the malware in question closely resembles code used by a hacking operative associated with North Korea.
The hackers used modified malware known as a “Bankshot” which utilized a recently revealed vulnerability in Adobe Flash. The attackers tried to lure their victims with spear-phishing emails containing an infected Microsoft Word file named Agreement.docx.
Bankshot implants were distributed from a domain similar to the cryptocurrency-lending platform Falcon Coin, but the malicious domain falcancoin.io was created December 27, 2017, and is not legally associated with the original platform.
Though there have been no reports of stolen money in the attacks, the research team believes the campaign intended to get remote access to the internal systems of the targeted government-controlled financial organizations. The report, however, does not reveal which specific organizations were affected.
The McAfee team also discovered two documents written in Korean, which appear to be part of the same hacking campaign, but were intended for different targets.
Back in December 2017, the US government issued a warning about Bankshot malware, linking it to Hidden Cobra, a group of hackers the U.S. Government considers malicious cyber-criminals working for the North Korean government.
North Korea has been repeatedly accused of hacking South Korean cryptocurrency exchanges, as international sanctions against the country have tightened over the past year.