Symantec’s researchers have uncovered a potential link between the WannaCry ransomware worm, that hit systems just over a week ago, and code used by the Lazarus Group, the hackers that attacked Sony in 2015 and $81M theft from the Bangladesh Central Bank and are believed to be based in North Korea.
These are the links Symantec has identified:
- Trojan.Volgmer and two variants of Backdoor.Destover, the disk-wiping tool used in the Sony Pictures attacks.
- Trojan.Alphanc, which was used to spread WannaCry in the March and April attacks, is a modified version of Backdoor.Duuzer, which has previously been linked to Lazarus.
- Trojan.Bravonc used the same IP addresses for command and control as Backdoor.Duuzer and Backdoor.Destover, both of which have been linked to Lazarus.
- Backdoor.Bravonc has similar code obfuscation as WannaCry and Infostealer.Fakepude (which has been linked to Lazarus
- There is shared code between WannaCry and Backdoor.Contopee, which has previously been linked to Lazarus.
Symantec’s blog article goes into detail into how WannaCry works and how different attacks are connected.