SWIFT, the organization that provides banks with a secure network for sending and receiving information about financial transactions, has sent out a warning about a malware attack against another bank. They believe that its customers are facing “a highly adaptive campaign targeting banks’ payment endpoints.”
In the earlier case – the heist at Bangladesh’s central bank – the attackers compromised the bank’s environment, obtained valid operator credentials that allowed them to submit fraudulent SWIFT messages, and to hide evidence by removing some of the traces of the fraudulent messages.
“In this new case we have now learnt that a piece of malware was used to target the PDF reader application used by the customer to read user generated PDF reports of payment confirmations,” the organization explained.
“Once installed on an infected local machine, the Trojan PDF reader gains an icon and file description that matches legitimate software. When opening PDF files containing local reports of customer specific SWIFT confirmation messages, the Trojan will manipulate the PDF reports to remove traces of the fraudulent instructions.”
They made sure to note that the malware can’t create new or modify outgoing messages, and does not affect SWIFT’s network, interface software or core messaging services.
“In both instances, the attackers have exploited vulnerabilities in banks funds’ transfer initiation environments, prior to messages being sent over SWIFT,” they pointed out. “The attackers clearly exhibit a deep and sophisticated knowledge of specific operational controls within the targeted banks – knowledge that may have been gained from malicious insiders or cyber attacks, or a combination of both.”
SWIFT did not identify the victim of this latest attack nor did they say whether it was ultimately successful.
But Sergei Shevchenko and Adrian Nish, two BAE Systems researchers who are analyzing the malware, revealed that the financial institution that has been hit is a commercial bank in Vietnam.
What’s more, their analysis of the malware used in both attacks revealed that:
- The malware was custom-made in both cases
- It sported unique “file-wipe-out” and “file-delete” functions that are the same or have been only minimally modified
- The malware exhibits the same unique characteristics, such as mutex names and encryption keys, as other tools from a larger toolkit described in US-CERT Alert TA14-353A – the alert that is widely believed to describe the 2014 attack against Sony Entertainment.
- It contains some of the same typos, and exhibits evidence of being developed in the same environment.
“The overlaps between these samples provide strong links for the same coder being behind the recent bank heist cases and a wider known campaign stretching back almost a decade,” they pointed out.
“It is possible that this particular file-delete function exists as shared code, distributed between multiple coders who look to achieve similar results. However, we have noted that this code isn’t publically available or present in any other software after searching through tens of millions of files. The unique decision to move and rename the file before deletion after overwriting is unusual, and not a common step we would expect to see when implementing this capability.”
They admit that it’s possible that different coders were involved, and tried to made it look like they were one and the same, but they say it’s unlikely.
“Who the coder is, who they work for, and what their motivation is for conducting these attacks cannot be determined from the digital evidence alone,” they say, and hope that further investigation of command infrastructure and related tools will give more definitive answers.
In the meantime, SWIFT urged its customers to review controls in their payments environments, to all their messaging, payments and ebanking channels and, if they have been attacked, to share the info they have with SWIFT and the authorities.
“While it is certainly interesting to see that the same code base is used in two and possibly more attacks as widely different as the Sony hack and the Bangladesh bank heist, it is perhaps too early to draw definitive links between them,” Chenxi Wang, chief strategy officer with Twistlock, commented BAE Systems’s findings.
“It is a common place for malware writers to sell their products, often packaged in a polymorphic way, to multiple criminal groups. It is therefore not surprising at all to see similar code or attack antics appearing in separate hacks. There is a thriving underground economy that links a small pool of malware writers to many criminal organizations, which allows their products to inflict widely spread damage. While we shore up cybersecurity defenses at various organizations, we cannot forget that there is absolutely the need to disrupt and disable such underground trading to get to the root of the problem.”