SWIFT, the organization that's supposed to provide banks with a secure network for sending and receiving financial transaction information, has issued a warning for malware attacking another bank. They believe that its customers are facing "a highly adaptive campaign that ultimately targets banks' payment points."
In the previous case, in the Bangladesh central bank robbery, the attackers were able to obtain valid administrator credentials which allowed them to submit fake SWIFT messages, and hide the evidence data to cover the tracks of fake messages.
"In this new case we saw that malware was used to target the PDF reader application used by the customer to read the payment confirmation PDFs," the company said.
"Once installed on an infected local machine, the PDF reader Trojan creates an icon and a description file that match those of the legitimate software. "When a PDF file containing SWIFT confirmation messages is opened, the Trojan starts changing the PDF by removing any traces that indicate it has been tampered with."
The company reports that malicious software can not create new or modify outgoing messages, and does not affect the SWIFT network, the interface software or the messaging services provided.
"In both cases, the attackers exploit the vulnerabilities that exist in the environments of the beginning of the transfer of funds of the banks", before sending the messages through SWIFT, "they stressed.
"The attackers clearly show a deep and specialized knowledge of the special operational controls in the context of targeted attacks on banks. "Knowledge that may have been acquired by malicious insiders (and of course means some insiders, aka bank staff) or previous cyber attacks, or a combination of both."
SWIFT did not identify the victim of the last attack and did not say whether the attack was finally successful.
Sergei Shevchenko and Adrian Nish, two of her researchers BAE Systems analyzing malware, revealed that the financial institution that has been hit is a commercial bank in Vietnam.
With their analysis of the malicious software used in both attacks, they discovered that:
- Malware was custom-made in both cases.
- Both files were "file-wipe-out" and "file-delete" which were the same or only slightly modified.
- Malicious software displays the same unique features as mutex names, encryption keys, and other tools from a larger set of tools described in its warning US-CERT, TA14-353A. It's the warning that 2014 described the attack on Sony Entertainment.
- It contains some mistakes, and presents elements developed in the same environment.
"The overlaps between these samples provide strong links to the same coder behind the recent bank robbery cases and a more widely known campaign that goes back almost a decade."
“It is possible that this particular function exists deletionς των αρχείων διαγραφής σαν κοινόχρηστος κώδικας, που μοιράζονται πολλοί προγραμματιστές που αναζητούν να επιτύχουν παρόμοια αποτελέσματα. Ωστόσο, έχουμε δει ότι αυτός ο κώδικας δεν είναι δημόσια availables or not contained in any other software by searching tens of millions of files. "
Meanwhile, SWIFT has called on its clients to review the controls in their payment environments in all their eBanking messages, payments and eBanking channels and, if they have been attacked, share their SWIFT information and principles.
