Top 9 Types of Malware Targeting the Financial Industry: August 2020

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.


Malware continued to wreak havoc on the financial industry during the month of August. Below are some of the biggest troublemakers we found last month.

1. Ryuk/Conti

Ryuk was a highly successful ransomware family that held no bias regarding target industries. Infections attributed to Ryuk include - managed service provider T-Systems, financial service provider ASD Audit, healthcare provider CorVel, and Tribune Publishing. The success of Ryuk ransomware likely can be tied to its selective attack approach. While a number of malicious programs have started to move away from widespread email spam campaigns, Ryuk malware isn’t just targeted in nature, but takes the customization a step further. Its attacks had an encryption process that was tailored to each victim, targeting the most valuable files. The ransomware has slowly been fading away since June 2020 with only a few samples seen sparsely in the wild.

Meanwhile, as Ryuk was disappearing over the horizon in June, Conti ransomware was finally starting to make a name for itself. Conti ransomware targets corporate networks with new features that allow it to perform quicker and more targeted attacks, such as 32 threads for encryption and command line switches for running in local-only, network-only, and a manual mode that accepts a list of hosts. The most notable feature of Conti, discovered by Carbon Black's Threat Analysis Unit, is its use of the Windows Restart Manager to allow the attacker to forcefully unlock and encrypt files that otherwise would have been safe.

Many say the same actors behind Ryuk are also behind Conti for reasons such as shared code, similar ransom note templates, and the use of the same Trickbot infrastructure. While it is not 100% clear if Conti is a successor to Ryuk, submission graphs on ID Ransomware clearly show
Conti attacks were increasing as Ryuk attacks diminish.

Near the end of August, ZDNet reported that Conti (Ryuk) had recently joined the ranks of ransomware gangs operating leak sites. It has now become a mainstream tactic for big ransomware groups to create so-called "leak sites" where they upload and leak sensitive documents from companies who refuse to pay the ransomware decryption fee.

2. Qakbot

Since its discovery in mid-2009, Qakbot has continually been updated so that it has multiple capabilities that include information stealing and loading other malware (including ransomware). Security researchers at Morphisec reported this month how Qakbot introduced two new techniques:

  • Zipping a Word document to bypass content disarm and reconstruction technologies
  • Executing Visual Basic code with Explorer in order to avoid child-parent pattern detection logic

Checkpoint researchers also discovered variants distributed in early August which loaded an ‘email collector module’ that grabs email threads from a victim’s Outlook client and exfiltrates them to a hardcoded remote server. The emails/subjects and/or benign attachments are then used in future malspam campaigns.

In short, Qakbot is a very serious threat that has constantly been updated and now has been paired with the dangerous Emotet malware.

3. Trickbot (Wizard Spider)

TrickBot is quiet, modular, and extremely effective with polymorphic worm capabilities built in. TrickBot is developed by Wizard Spider, the same criminal enterprise that likely runs both Ryuk and Conti ransomware noted above. Since the beginning of the year, TrickBot has continually received new tooling to further criminal exploits. For instance, in April Trickbot received a module that allows the banking trojan to perform brute force attacks on Microsoft’s Remote Desktop Protocol (RDP) and a new mobile module that can allow attackers to bypass two-factor authentication (2FA).

Researchers also discovered a twist in TrickBot attacks that fooled users into downloading a malicious Android application that allows attackers to bypass 2FA. The app, which researchers dubbed “TrickMo”, was initially seen deployed against TrickBot victims in Germany but has since been seen in attacks throughout the world.

To make matters even worse for cyber security professionals, late July/early August saw the return of Emotet (discussed directly below), which has a long-known association as a delivery mechanism for the banking trojan and has caused the use of Trickbot to spike in July and August.

4. Emotet

After a near five-month hiatus, researchers at Proofpoint spotted the return of Emotet in a malicious spam campaign pitted against Microsoft Office users in late July and the activity continued into August. Known as a versatile and widely disruptive threat, early versions of Emotet had a module used to commit banking fraud, and for years, the malware was widely classified as a banking trojan. However, as previously reported, more recent versions of Emotet no longer load its own banking module, and instead load third party banking malware such as Qakbot, Trickbot and IcedID. Additionally, Emotet loads its modules for spamming, credential stealing, email harvesting, and spreading on local networks.

Proofpoint observed nearly a quarter million Emotet messages sent on July 17, 2020. The threat actor, Mummy Spider (TA542), appears to have targeted multiple verticals across the US and UK with English language lures. These messages contain malicious Microsoft Word attachments or URLs linking to Word documents. The URLs often point to compromised WordPress hosts. One familiar technique is for the document to be sent as a reply within existing email threads.

Emotet was by far the most visible and active threat on our radars in 2018 and 2019—right up until the start of 2020, when it went into an extended break. One of the reasons why it was (and is) so successful is because of its constant evolution in attack techniques and threat partnerships. In fact, the real damage caused by an Emotet compromise happens when it forms alliances with other malware gangs—particularly with those threat actors interested in dropping ransomware, such as Ryuk, which was a constant partner of Emotet’s in 2019. Reporting in late July and early August indicates that Emotet is now primarily being used to drop Qakbot as an
infostealer before infectings victims with Prolock ransomware as part of a “triple threat” package.

5. Maze Ransomware

The Maze gang has been very active this year with a large number of high-profile ransomware infections such as Chubb, Cognizant, Bouygues Construction, Southwire, the city of Pensacola, and more. Maze added to their already impressive victim resume with successful infections against Xerox, LG, and Canon in the month of August. To make matters worse the group has published data from each of the breaches (26GB, 50GB, and 10TB respectively) to their leak site.

The "name and shame" game has been extremely effective since its inception in late 2019 and doesn't show any signs of going away as more and more groups have been creating their own leak sites. Previously, it was recommended across the cyber industry to not pay ransoms. However, the recent trend of ransomware actors threatening to leak gigabytes of data has muddied the water a bit in terms of whether or not to pay as part of an incident response.

“In the early days of ransomware, the decision was usually about the cost of restoring data versus paying. Adversaries have upped the ante by threatening to release data as well, which doesn’t make for easy answers,” said A.J. Nash, senior director of cyber intelligence strategy at Anomali to SC Media. “Each company certainly has their own calculus here, so it’s hard to offer a blanket answer,” Nash said. “In cases where highly sensitive or embarrassing information may have been compromised, it will almost certainly be tempting to pay a ransom in the hopes the information won’t be released.”

6. EventBot - Mobile Malware

EventBot was first reported in April’s financial threat landscape report; however, the mobile banking trojan and information stealer has continued to make headlines due to its efficacy, being reported as the top mobile malware threat to financial institutions as recently as June. The malware is purportedly targeting well over 200 financial applications currently available to mobile devices, with infections across the US and Europe.

In June, the FBI issued a warning about the safety of mobile banking apps, particularly highlighting the danger of trojans designed to capture passwords, steal financial information and take over accounts. EventBot was specifically called out as it masquerades as an Adobe or Microsoft Word app for Android, but EventBot's true purpose is to steal information from unprotected financial apps on the device.

EventBot is a particularly frightening development for mobile banking for three reasons. First, it hides in an altered version of an app that seems legitimate. Second, it currently focuses on stealing unprotected information in banking, wallet, payment and cryptocurrency mobile apps. The malware is even able to intercept SMS messages so it can steal two-factor authentication codes along with user credentials and passwords. Finally, the malware is evolving quickly, as it appears a team with an entrepreneurial strategy is behind it.

7. BlackRock - Mobile Malware

A new Android malware dubbed "BlackRock" has emerged in the criminal underworld that comes equipped with a wide range of data theft capabilities allowing it to target a whopping 337 Android applications.

This new threat, discovered by the mobile security firm ThreatFabric, is based on the leaked source code of another malware strain (Xerxes, based itself on other malware strains) but was enhanced with additional features, especially on the side that deals with the theft of user passwords and credit card information.

Once installed on a device, a malicious app tainted with the BlackRock trojan asks the user to grant access to the phone's accessibility feature. The trojan will steal login credentials (username and passwords), where available, but also prompt the victim to enter payment card details if the apps support financial transactions. Per ThreatFabric, the data collection takes place via a technique called "overlays," which consists of detecting when a user tries to interact with a legitimate app and showing a fake window on top that collects the victim's login details and card data before allowing the user to enter the intended legitimate app.

8. SpyNote - Mobile Malware

This Android malware first surfaced in mid-2016, discovered by researchers at Unit 42. SpyNote has received several updates since, and other malware variants have sprung from its leaked source code. The malware has the ability to view all messages, listen in on phone calls, activate the device camera, install additional software and more.

Researchers continue to note that SpyNote, along with others, are masquerading as COVID-19 tracing applications on non-mainstream app stores.

9. MoqHao - Mobile Malware

Japanese users, both Android and iOS, have been constantly and aggressively targeted by MoqHao, a sophisticated and evolving cross-platform phishing campaign, for quite some time now.

The payload on Android, a spoofed Android Package (APK), can be downloaded either from the Google Play Store or a third-party server located in Taiwan, China, and most recently in Romania. On iOS, the payload has involved a landing page that either forces a victim to install a signed malicious mobileconfig xml that collects and sends device information to the URL pointed at in the mobileconfig or runs a browser-based cryptomining script in the background. The MoqHao payload’s ultimate goal has so far been data exfiltration, including banking credentials, and spying on the victim’s activities.

BlueVoyant is an analytics-driven cyber security company whose mission is to protect businesses of all sizes against agile and well-financed cyber attackers by providing unparalleled visibility, insight, and responsiveness. BlueVoyant provides advanced Threat Intelligence capabilities, Managed Security Service, and effective Incident Response.

You May Also Like

These Stories on Life in the SOC

Subscribe by Email