Banks around the world targeted in watering hole attacks

The January attacks against Polish financial institutions through the booby-trapped site of the Polish Financial Supervision Authority are just one piece of a larger puzzle, elements of which are slowly coming to light.

As the indicators of compromise and attack were shared by the affected banks, other institutions around the world found that they have been hit, as well.

The watering hole attacks

Aside from the compromised site of the Polish financial regulator, BAE Systems researchers discovered other “poisoned” watering holes: the website of the National Banking and Stock Commission of Mexico and that of a state-owned bank in Uruguay.

The sites were booby-trapped with code that would trigger the download of malicious JavaScript files from other compromised domains (sap.misapor[.]ch and eye-watch[.]in).

The domains hosted an exploit kit, which leveraged Silverlight and Flash exploits to deliver malware.

According to the researchers’ findings, the site of the Polish Financial Supervision Authority was booby-trapped since at least the beginning of October 2016, but not all visitors were hit.

“When examining the code on the exploit kit website a list of 255 IP address strings was found. The IPs only contained the first 3 octets, and would have been used to filter traffic such that only IPs on that subnet would be delivered the exploit and payload. The IP addresses corresponded to a mix of public and private financial institutions spread across the globe,” BAE Systems researchers shared.

The majority of these institutions are banks in Poland, the US, Mexico, UK, and Chile. Symantec researchers came to (more or less) the same conclusion.

The downloaded malware

“The malware used in the attacks (Downloader.Ratankba) was previously unidentified, although it was detected by Symantec under generic detection signatures,” the company’s researchers noted.

“Ratankba was observed contacting eye-watch[.]in for command and control (C&C) communications. Ratankba was then observed downloading a Hacktool. This Hacktool shows distinctive characteristics shared with malware previously associated with Lazarus.”

Who or what is Lazarus? Lazarus is the name given to a hacking group that has been operating since 2009, targeting institutions and businesses in the US and South Korea.

But, most importantly, there are indications that the group was involved in last year’s compromise of Bangladesh’s central bank, and the 2014 Sony Entertainment attack.

“The technical/forensic evidence to link the Lazarus group actors (who we believe are behind the Bangladesh Bank attack and many others in 2016) to the watering-hole activity is unclear,” BAE Systems researchers added.

“However, the choice of bank supervisor / state-bank websites would be apt, given their previous targeting of Central Banks for Heists – even when it serves little operational benefit for infiltrating the wider banking sector. Nonetheless, further evidence to connect together the pieces of this attack is needed, as well as insights into the end-goal of the culprits,” they concluded.

As a side note, some 140+ banks and other businesses around the world have been recently hit by attackers wielding fileless malware and legitimate tools.