SEARCH FINANCIAL SERVICES INFRASTRUCTURE SECURITY SCIENCE INTERVIEWS

 

     

Attackers target dozens of global banks with new malware

By Symantec Team

February 14, 2017

Watering hole attacks attempt to infect more than 100 organizations in 31 different countries.

Organizations in 31 countries have been targeted in a new wave of attacks which has been underway since at least October 2016. The attackers used compromised websites or “watering holes” to infect pre-selected targets with previously unknown malware. There has been no evidence found yet that funds have been stolen from any infected banks.

The attacks came to light when a bank in Poland discovered previously unknown malware running on a number of its computers. The bank then shared indicators of compromise (IOCs) with other institutions and a number of other institutions confirmed that they too had been compromised.

As reported, the source of the attack appears to have been the website of the Polish financial regulator. The attackers compromised the website to redirect visitors to an exploit kit which attempted to install malware on selected targets.

Symantec has blocked attempts to infect customers in Poland, Mexico and Uruguay by the same exploit kit that infected the Polish banks. Since October, 14 attacks against computers in Mexico were blocked, 11 against computers in Uruguay, and two against computers in Poland.

Custom exploit kit

The attackers appear to be using compromised websites to redirect visitors to a customized exploit kit, which is preconfigured to only infect visitors from approximately 150 different IP addresses. These IP addresses belong to 104 different organizations located in 31 different countries. The vast majority of these organizations are banks, with a small number of telecoms and internet firms also on the list.

434-Fig1 Top Countries Targeted.png

Figure 1. Countries in which three or more organizations were targeted by attackers

Links to Lazarus?

The malware used in the attacks (Downloader.Ratankba) was previously unidentified, although it was detected by Symantec under generic detection signatures, which are designed to block any files seen to engage in malicious activities.

Analysis of the malware is still underway. Some code strings seen in the malware used shares commonalities with code from malware used by the threat group known as Lazarus.

Ratankba was observed contacting eye-watch[.]in for command and control (C&C) communications. Ratankba was then observed downloading a Hacktool. This Hacktool shows distinctive characteristics shared with malware previously associated with Lazarus. 

434-Fig2 New Sample.png

Figure 2. Code strings seen in sample of Hacktool used in recent attacks

434-Fig3 Old Sample.png

Figure 3. Code strings seen in sample of Hacktool previously associated with Lazarus

Lazarus has been linked to a string of aggressive attacks since 2009, largely focused on targets in the US and South Korea. Lazarus has been involved in high level financial attacks before and some of the tools used in the Bangladesh bank heist shared code similarities with malware used in historic attacks linked to the group.

Further investigation of these attacks is underway and, over time, more evidence may emerge about the identity and motives of the attackers. After a series of high profile attacks on banks during 2016, this latest incident provides a timely reminder of the growing range of threats facing financial institutions.

 

Malware used in watering hole attacks on Polish banks has tentative links to #Lazarus groupClick to Tweet

 

Protection

Symantec and Norton products protect against these attacks with the following detections:

IOCs

The follow are indicators of compromise related to these attacks.

Command and control infrastructure

  • eye-watch[.]in
  • sap.misapor[.]ch

Downloader.Ratankba

MD5                                                                     

  • 1f7897b041a812f96f1925138ea38c46
  • 911de8d67af652a87415f8c0a30688b2
  • 1507e7a741367745425e0530e23768e6
  • cb52c013f7af0219d45953bae663c9a2
  • 18a451d70f96a1335623b385f0993bcc

SHA256

  • 99017270f0af0e499cfeb19409020bfa0c2de741e5b32b9f6a01c34fe13fda7d
  • 825624d8a93c88a811262bd32cc51e19538c5d65f6f9137e30e72c5de4f044cc
  • 200c0f4600e54007cb4707c9727b1171f56c17c80c16c53966535c57ab684e22
  • 95c8ffe03547bcb0afd4d025fb14908f5230c6dc6fdd16686609681c7f40aca2
  • 7c77ec259162872bf9ab18f6754e0e844157b31b32b4a746484f444b9f9a3836

Hacktool

MD5                                                                     

  • 3af4e21bbbeb846ca295143e03ec0054   

SHA256

  • efa57ca7aa5f42578ab83c9d510393fcf4e981a3eb422197973c65b7415863e7

Backdoor.Destover

MD5                                                                     

  • 7fe80cee04003fed91c02e3a372f4b01

SHA256

  • 4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6b

Terms of Use | Copyright © 2002 - 2017 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement