Lastline found three separate strains of keylogger malware that are currently targeting finance.
Lastline’s analysis of the 100 most recent malware samples found among finance firms uncovered an unusually large number of iSpy keylogger samples, which is a variant of the notorious HawkEye logger, a fully functioning keylogger that sends victim’s credentials to a server under the keylogger operator’s control. By intercepting the communication with the command and control server, Lastline detected the active exfiltration of website, email and FTP credentials, as well as license key information for installed products.
The analysis also detected sophisticated Emotet and URSNIF keyloggers being delivered via Microsoft Office documents. These two strains of malware share an evasion module for detecting dynamic analysis environments, and common methods for infiltrating financial transactions such as a man-in-the-middle network sniffing capability and hijacking automated transfer payments.
Being modular in nature, criminals have developed and added new features over time, including lateral movement, additional credential theft, and spam capabilities.
“We definitely detected a higher than usual incident of very sophisticated malware,” commented Andy Norton, Lastline Director of Threat Intelligence. “This is not surprising considering that finance has long been a target for cybercriminals and accordingly has elevated their security capabilities. Because of this, criminals are forced to up their game, which was very clearly seen in these recent samples.”
Findings that highlights the use of more sophisticated malware against finance includes:
1. The percentage of total files that Lastline analyzed that were found to be malicious was 47 percent higher than the global data that Lastline reported in its recent Malscape Monitor Report.
2. The share of malware samples that display all four of the key advanced malware behaviors was 20 percent higher than the global average. Those behaviors are: the malware is packed to avoid static analysis, it evades dynamic analysis, it remains stealthy, and it steals credentials.