SWIFT, the organization that is supposed to provide banks with a secure network to send and λήψη financial transaction information, sent a warning about a malware attack against another bank. They believe that its customers face "a highly adaptive campaign that ultimately targets bank payment points."
In the previous case, the robbery at his central bank Bangladesh, the attackers were able to have valid administrator credentials which allowed them to submit fake SWIFT messages, and hide the evidence to cover the tracks of the fake messages.
“In this new case we saw that one was used malicious λογισμικό για να στοχεύσει την εφαρμογή PDF reader που χρησιμοποιείται από τον πελάτη για να διαβάσει τα PDF επιβεβαίωσης πληρωμών”, αναφέρει η εταιρεία.
"Once installed on an infected local machine, the PDF reader Trojan creates an icon and a description file that match those of the legitimate software. "When a PDF file containing SWIFT confirmation messages is opened, the Trojan starts changing the PDF by removing any traces that indicate it has been tampered with."
The company reports that malicious software can not create new or modify outgoing messages, and does not affect the SWIFT network, the interface software or the messaging services provided.
“In both cases, attackers take advantage vulnerabilities that exist in bank funds transfer initiation environments" before the messages are sent through SWIFT," they pointed out.
"The attackers clearly show a deep and specialized knowledge of the special operational controls in the context of targeted attacks on banks. "Knowledge that may have been acquired by malicious insiders (and of course means some insiders, aka bank staff) or previous cyber attacks, or a combination of both."
SWIFT did not identify the victim of the last attack and did not say whether the attack was finally successful.
Sergei Shevchenko and Adrian Nish, two of her researchers BAE Systems analyzing malware, revealed that the financial institution that has been hit is a commercial bank in Vietnam.
With their analysis of the malicious software used in both attacks, they discovered that:
- Malware was custom-made in both cases.
- Both files were "file-wipe-out" and "file-delete" which were the same or only slightly modified.
- Malicious software displays the same unique features as mutex names, encryption keys, and other tools from a larger set of tools described in its warning US-CERT, TA14-353A. It's the warning that 2014 described the attack on Sony Entertainment.
- It contains some mistakes, and presents elements developed in the same environment.
"The overlaps between these samples provide strong links to the same coder behind the recent bank robbery cases and a more widely known campaign that goes back almost a decade."
"It is possible that this particular function of deleting deleted files as a shared code, shared by many developers looking to achieve similar results. However, we have seen that this code is not publicly available or contained in any other software by searching tens of millions of files. ”
Meanwhile, SWIFT has called on its clients to review the controls in their payment environments in all their eBanking messages, payments and eBanking channels and, if they have been attacked, share their SWIFT information and principles.