According to ESET telemetry, Lazarus targeted companies in Europe (France, Italy, Germany, the Netherlands, Poland, and Ukraine) and Latin America in the relevant 2021-2022 attacks (Brazil).

The backdoor includes several cyber-espionage capabilities, such as file exfiltration and gathering information about the targeted computer and its drives. It communicates with its Command & Control (C&C) server via the Tor anonymity network.

What makes the backdoor distinctive are its downloadable modules and their capabilities, as it contains a custom algorithm designed to gather RES 3700 POS database passwords by decrypting them from Windows registry values. This shows that the backdoor’s authors have deep knowledge of the targeted software and opted for this sophisticated method.

ESET researchers have discovered a surprising number of indicators of close cooperation among Latin American banking trojan authors. Despite the term “Latin American,” some of the trojans have been targeting Spain and Portugal since late last year.

ESET will highlight its top research for 2020 during the VB2020 localhost conference. This year, the Virus Bulletin international conference will go entirely online, thus the name change.