Bangladesh Bank hackers compromised SWIFT software with bespoke malware

Bit by bit, indications about how the attackers who targeted Bangladesh’s central bank managed to take off with some $80 milllion (of the nearly $1 billion they aimed for) via fraudulent transfers are coming to light.

First it was established that second-hand, cheap networking equipment that collects next to no network data, and the lack of a firewall between the bank’s SWIFT facility and the rest of the network, helped the attackers pull off the heist.

Today BAE Systems’ security researcher Sergei Shevchenko revealed that they have found and analyzed custom malware that compromised SWIFT software and which they believe was used in the attack.

The malware

The malware was found on online malware repositories (according to Mikko Hypponen, on VirusTotal), and has been submitted by a user in Bangladesh – possibly even by the attackers trying to see whether it will trigger detection by security solutions.

The researchers found several malware samples, which they believe were created by the same persons.

One of these, a component that interacts with SWIFT software, is installed on a server running SWIFT’s Alliance software suite (powered by an Oracle database), and makes the application believe a failed validation check (e.g. authorization success check) was actually successful.

It does so by changing just two bytes in a DLL file that is responsible for starting the database and reading database paths from registry. This modification allows the malware to execute database transactions within the victim network.

The malware then starts inspecing SWIFT messages for specific strings.

“From these messages, the malware can extract fields such as transfer references and SWIFT addresses to interact with the system database. These details are then used to delete specific transactions, or update transaction amounts appearing in balance reporting messages based on the amount of Convertible Currency available in specific accounts,” Shevchenko explained.

“This functionality runs in a loop until 6am on 6th February 2016. This is significant given the transfers are believed to have occurred in the two days prior to this date. The tool was custom made for this job, and shows a significant level of knowledge of SWIFT Alliance Access software as well as good malware coding skills.”

Finally, the malware also modifies the transaction confirmations that are sent to the printer in order to make fraudulent transactions seem “normal”.

The researchers still don’t know how it was installed on the servers, and how the attackers sent the fraudulent transfers in the first place, but they seem certain that the malware was written bespoke for attacking a specific victim infrastructure, and that with some changes it can be used to target those of other victims in the future.

“All financial institutions who run SWIFT Alliance Access and similar systems should be seriously reviewing their security now to make sure they too are not exposed,” Shevchenko advised.

Reaction from SWIFT

SWIFT announced today that they are aware of a malware that aims to reduce financial institutions’ abilities to evidence fraudulent transactions on their local systems, and stated that the malware has no impact on SWIFT’s network or core messaging services.

“We have developed a facility to assist customers in enhancing their security and to spot inconsistencies in their local database records, however the key defence against such attack scenarios remains for users to implement appropriate security measures in their local environments to safeguard their systems – in particular those used to access SWIFT – against such potential security threats,” they noted. “Such protections should be implemented by users to prevent the injection of malware into, or any misappropriation of, their interfaces and other core systems.

SWIFT spokeswoman Natasha Deteran also told Reuters that they will be releasing today a software update to thwart the malware.