The money was stolen through fraudulent SWIFT transactions, though the SWIFT system itself was not compromised, and malware (Trojan.BanSwift) was used to cover the attackers’ tracks.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
Tool: BanSwift
Names: BanSwift
Description: The money was stolen through fraudulent SWIFT transactions, though the SWIFT system itself was not compromised, and malware (Trojan.BanSwift) was used to cover the attackers’ tracks.
Category: Malware
Type: SWIFT malware
Information: https://medium.com/threat-intel/lazarus-attacks-wannacry-5fdeddee476c
Information: https://www.anomali.com/blog/evidence-of-stronger-ties-between-north-korea-and-swift-banking-attacks
Information: https://baesystemsai.blogspot.com/2016/04/two-bytes-to-951m.html
Last-card-change: 2020-05-25
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |