Antivirus vendor Symantec has uncovered new attacks on SWIFT users involving malware that hides records of SWIFT messages relating to fraudulent transactions.
The customers of the SWIFT cooperative for financial messaging and related systems are facing a new set of cyber-attacks, a month after SWIFT unveiled an effort to make cyber protections mandatory.
The new attack upon SWIFT clients was discovered by anti-virus/anti-malware vendor Symantec, which is identifying the culprit as the “Odinaff group,” which while challenging to carry out “can be highly lucrative” yielding hundreds of millions of dollars via deception and aggressive invasions of networks and systems, according to Symantec.
The SWIFT network has not been attacked, according to Symantec.
In response to questions from FTF News, SWIFT officials say they decline to comment upon specific groups but did provide a statement.
“SWIFT is aware of this MO and the related details published in the blog,” according to the statement. “We published related Indicators of Compromise (IOCs) and a practical example of the MO for our community earlier this summer. This work forms part of SWIFT’s information sharing initiative which has grown significantly since its launch, and which includes detailed intelligence and analysis on the modus operandi of attackers in customer fraud cases.”
Earlier this month, SWIFT underscored its commitment to cyber-security protections at its SIBOS conference in Geneva with a set of core security standards and an associated assurance framework that the cooperative is making mandatory for all customers.
Throughout 2016, SWIFT officials have been grappling with a series of cyber-attacks among its members and customers. In February, attackers used SWIFT codes to break into the account of the Bangladesh central bank, and via messages and multiple attempts broke into the Federal Reserve Bank of New York, which then led to the theft of a hefty sum, according to official confirmations and media reports. The hackers in this instance did encounter some barriers but ultimately $100 million was stolen from the Bangladesh central bank account.
“Since January 2016, discreet campaigns involving malware called Trojan.Odinaff have targeted a number of financial organizations worldwide,” according to Symantec. “These attacks appear to be extremely focused on organizations operating in the banking, securities, trading, and payroll sectors. Organizations who provide support services to these industries are also of interest.”
Symantec officials say the threat has similarities to the Carbanak advanced persistent threat (APT) campaign that focused on financial institutions. That threat was uncovered in 2015 by anti-cyber-crime vendor Kaspersky Lab.
“Odinaff is typically deployed in the first stage of an attack, to gain a foothold onto the network, providing a persistent presence and the ability to install additional tools onto the target network,” according to Symantec. “These additional tools bear the hallmarks of a sophisticated attacker which has plagued the financial industry since at least 2013 — Carbanak. This new wave of attacks has also used some infrastructure that has previously been used in Carbanak campaigns.”
These latest attacks have “a large amount of hands-on involvement, with methodical deployment of a range of lightweight back doors and purpose-built tools onto computers of specific interest,” according to Symantec. “There appears to be a heavy investment in the coordination, development, deployment, and operation of these tools during the attacks. Custom malware tools, purpose built for stealthy communications (Backdoor.Batel), network discovery, credential stealing, and monitoring of employee activity are deployed.”
For SWIFT users, they have to be on the lookout.
“The tools used are designed to monitor customers’ local message logs for keywords relating to certain transactions,” according to Symantec. “They will then move these logs out of customers’ local SWIFT software environment. We have no indication that SWIFT network was itself compromised.”
“These ‘suppressor’ components are tiny executables written in C, which monitor certain folders for files that contain specific text strings. Among the strings seen by Symantec are references to dates and specific International Bank Account Numbers (IBANs),” Symantec officials say. “The folder structure in these systems seem to be largely user defined and proprietary, meaning each executable appears to be clearly tailored to for a target system.”
A file found along with the suppressor was “a small disk wiper which overwrites the first 512 bytes of the hard drive,” Symantec reports. “This area contains the Master Boot Record (MBR) which is required for the drive to be accessible without special tools. We believe this tool is used to cover the attackers’ tracks when they abandon the system and/or to thwart investigations.”
The new Odinaff attacks appear to be “an example of another group believed to be involved in this kind of activity, following the Bangladesh central bank heist linked to the Lazarus group,” Symantec officials say. “There are no apparent links between Odinaff’s attacks and the attacks on banks’ SWIFT environments attributed to Lazarus and the SWIFT-related malware used by the Odinaff group bears no resemblance to Trojan.Banswift, the malware used in the Lazarus-linked attacks.”
The Odinaff Trojan attacks represent the growing risk of attack upon financial services firms, according to Symnatec.
“Over the past number of years, cybercriminals have begun to display a deep understanding of the internal financial systems used by banks,” Symantec officials say. “They have learned that banks employ a diverse range of systems and have invested time in finding out how they work and how employees operate them. When coupled with the high level of technical expertise available to some groups, these groups now pose a significant threat to any organization they target.”
More information about the attack is available from Symantec.
Need a Reprint?