Do you know what questions to ask when you're looking for an IT firm? We're here to help. Get the free guide delivered right to your inbox:
The YamaBot malware was created by the group known as Lazarus, which has been responsible for a series of high-profile cyber-attacks, according to a report published by JPCERT/CC.
Lazarus has been active since at least 2009, originating from either North Korea or China. It is believed that Lazarus was behind the Sony Pictures attack in 2014 and the WannaCry ransomware attack that occurred in May of this year.
The group used its custom malware for DDOS attacks on South Korean infrastructure in 2013 and 2017; stole $81 million from Bangladesh Bank; stole $20 million from Taiwanese banks; and attempted to steal $1 billion from a European bank.
YamaBot Malware Used by Lazarus
The group also targeted the SWIFT network in 2016. It was discovered that the group had gained access to the Swift Alliance Access (SAA) application that had been installed in an ATM belonging to a bank in Bangladesh. As a result, the $81 million was stolen from Bangladesh Bank.
The October 2017 attack on SWIFT was reported at the same time as another attack on another bank, but its source has not been revealed yet.
YamaBot was first noticed in 2016 when it was used to send out large amounts of spam. It then became focused on attacking financial institutions and stealing information from them.
According to the JPCERT/CC report, YamaBot is a multi-faceted malware package that steals cryptocurrency (primarily Bitcoin), hijacks web browsers and allows attackers to utilize social engineering tactics to gain access to computers. Found on both networks and file servers, YamaBot has been seen targeting older versions of Windows, which can be found running on computers not connected to the internet.