SWIFT, the organization that's supposed to provide banks with a secure network for sending and receiving financial transaction information, has issued a warning for malware attacking another bank. They believe that its customers are facing "a highly adaptive campaign that ultimately targets banks' payment points."
In the previous case, in robbery at Bangladesh's central bank, the attackers were able to have valid administrator credentials, which allowed them to file false SWIFT messages, and hide the evidence to cover the traces of false messages.
“In this new case we saw that one was used malicious software to target her application PDF reader used by the customer to read payment confirmation PDFs,” the company says.
"Once installed on an infected local machine, the PDF reader Trojan creates an icon and a description file that match those of the legitimate software. "When a PDF file containing SWIFT confirmation messages is opened, the Trojan starts changing the PDF by removing any traces that indicate it has been tampered with."
The company reports that malicious software can not create new or modify outgoing messages, and does not affect the SWIFT network, the interface software or the messaging services provided.
"In both cases, the attackers exploit the vulnerabilities that exist in the environments of the beginning of the transfer of funds of the banks", before sending the messages through SWIFT, "they stressed.
"The attackers clearly show a deep and specialized knowledge of the special operational controls in the context of targeted attacks on banks. "Knowledge that may have been acquired by malicious insiders (and of course means some insiders, aka bank staff) or previous cyber attacks, or a combination of both."
SWIFT did not identify the victim of the last attack and did not say whether the attack was finally successful.
Sergei Shevchenko and Adrian Nish, two of her researchers BAE Systems analyzing malware, revealed that the financial institution that has been hit is a commercial bank in Vietnam.
With their analysis of the malicious software used in both attacks, they discovered that:
- Malware was custom-made in both cases.
- Both files were "file-wipe-out" and "file-delete" which were the same or only slightly modified.
- Malware shows itself uniquely characteristics, όπως τα ονόματα mutex, τα κλειδιά encryptions, as well as other tools from a larger set of tools described in its warning US-CERT, TA14-353A. It's the warning that 2014 described the attack on Sony Entertainment.
- It contains some mistakes, and presents elements developed in the same environment.
"The overlaps between these samples provide strong links to the same coder behind the recent bank robbery cases and a more widely known campaign that goes back almost a decade."
"It's possible that this particular function of deleting the delete files exists as shared code, shared by many developers looking to achieve similar Results. However, we have seen that this code is not publicly available or contained in any other software by searching tens of millions of files. "
Meanwhile, SWIFT has called on its clients to review the controls in their payment environments in all their eBanking messages, payments and eBanking channels and, if they have been attacked, share their SWIFT information and principles.