Security researchers have uncovered evidence that there is a second group of attackers who have been targeting banks in the SWIFT network, using a new Trojan that hides SWIFT message records and overwrites the master boot record of some hard drives.
The newly discovered group is using a piece of malware known as Odinaff, which researchers at Symantec say has been used to target many financial institutions in recent months. Odinoff typically is used as the first piece in multi-stage attacks on target networks, and Symantec said it bears the mark of the Carbanak gang, a team that is responsible for hundreds of millions of dollars in losses at banks in the last couple of years.
“These attacks require a large amount of hands on involvement, with methodical deployment of a range of lightweight back doors and purpose built tools onto computers of specific interest. There appears to be a heavy investment in the coordination, development, deployment, and operation of these tools during the attacks. Custom malware tools, purpose built for stealthy communications (Backdoor.Batel), network discovery, credential stealing, and monitoring of employee activity are deployed,” Symantec researchers said in an analysis of the Odinaff attacks.
“There are no apparent links between Odinaff’s attacks and the attacks on banks’ SWIFT environments attributed to Lazarus.”
Once on a target network, the Odinaff attackers employe several small hacking tools as well as some legitimate software, such as Mimikatz and PsExec, to perform discrete tasks. Symantec researchers said the group using Odinaff has been seen targeting users of the SWIFT global financial messaging network. Banks and other financial institutions use SWIFT to exchange messages about transactions. Symantec said the attackers are using Odinoff components to hide evidence of fraudulent transactions.
“The tools used are designed to monitor customers’ local message logs for keywords relating to certain transactions. They will then move these logs out of customers’ local SWIFT software environment. We have no indication that SWIFT network was itself compromised. These ‘suppressor’ components are tiny executables written in C, which monitor certain folders for files that contain specific text strings,” Symantec’s analysis said.
“The folder structure in these systems seem to be largely user defined and proprietary, meaning each executable appears to be clearly tailored to for a target system.”
Organizations that use the SWIFT network have been victims of a number of large-scale attacks this year, including one on the Bank of Bangladesh that included $81 million in fraudulent transactions. SWIFT, which is owned by its member institutions, has tightened its security rules as a result of the attacks, but attackers still are finding ways to compromise users. Symantec researchers said the recent Odinaff attacks do not appear to be linked to the earlier SWIFT attacks.
“These Odinaff attacks are an example of another group believed to be involved in this kind of activity, following the Bangladesh central bank heist linked to the Lazarus group. There are no apparent links between Odinaff’s attacks and the attacks on banks’ SWIFT environments attributed to Lazarus and the SWIFT-related malware used by the Odinaff group bears no resemblance toTrojan.Banswift, the malware used in the Lazarus-linked attacks,” Symantec said.
Image from Flickr stream of Selena N.B.H.