Malware: Targeting the Financial Sector - October Update

November 5, 2020 | 6 min read

BlueVoyant

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

HOPLIGHT is a powerful backdoor trojan used by North Korean actors first reported by DHS and FBI analysts in April 2019. HOPLIGHT is highly capable of manipulating system files, modifying or creating processes, changing registry settings, and using a built-in proxy application to mask inbound/outbound traffic with a remote command-and-control (C2) server.

U.S. agencies warned about activities from the North Korean threat group known as "BeagleBoyz" in late August in an operation known as FASTCash 2.0, an ATM cash-out scheme. This criminal collective is a subset of the more well-known DPRK-backed Lazarus Group. The subgroup, active since at least 2014, works to provide the government, which faces economic sanctions, with illicit funds, according to the joint alert. Although HOPLIGHT is not one of the tools explicitly listed as part of the FASTCash campaign, it is one of the tools used by Lazarus and their subgroups and was possibly used in this operation along with other parallel attacks.

Baka is an E-skimmer that was discovered in early 2020 by Visa's Payment Fraud Disruption (PFD) department. While the skimmer itself is basic and contains the expected features offered by many eCommerce skimming kits (e.g., data exfiltration using image requests and configurable target form fields), the Baka skimming kit’s advanced design indicates it was created by a skilled developer.

According to VISA, the most compelling components of this kit are the unique loader and obfuscation method. The skimmer loads dynamically to avoid static malware scanners and uses unique encryption parameters for each victim to obfuscate the malicious code. PFD assesses this skimmer variant avoids detection and analysis by removing itself from memory when it detects the possibility of dynamic analysis by Developer Tools or when data has been successfully exfiltrated.

Sodinokibi, also known as ‘REvil,’ is a ransomware-as-a-service (RaaS) model discovered in April 2019. Its multiple infection vectors include exploiting known security vulnerabilities and phishing campaigns. Sodinokibi encrypts a user’s files and can gain administrative access by exploiting vulnerabilities in applications such as Oracle WebLogic (CVE-2019-2725).

Sodinokibi is one of the top ransomware families in the wild today and has been no stranger to this list throughout 2020. In a recent IBM report, it was stated that Sodinokibi ransomware attacks account for one in three ransomware incidents IBM has responded to in 2020 so far. In addition, IBM estimates that Sodinokibi profits this year exceed $81 million.

One reason behind their success, said Christopher Kiefer, IBM Security threat analyst, is that the group uses a very careful approach when choosing threat actors to deliver its malware to victims. "The Sodinokibi group looks for experienced, highly skilled hackers that know how best to quickly infiltrate corporations and keep a low profile until a ransomwareattack is executed," he said. "This approach has allowed the group to target victims that are likely to yield a high, fast payout relative to the hackers' investment. The group also has a public-facing blog on which it advertises victims, ransom asking amounts, stolen information, and data available for sale at Auction."

Mailto (also known as NetWalker) is a sophisticated family of Windows ransomware that has targeted corporate computer networks. It is an updated version of Kokoklock ransomware and encrypts data and renames files with the developer's email address and an extension comprising the victim's unique ID.

Mailto/NetWalker is also a RaaS, providing the tools and infrastructure for others to launch ransomware attacks in return for affiliate payments. The group posts on dark market forums, inviting other criminals to become affiliates and help them spread the ransomware, with preference being given to those with proven experience in cybercrime and existing access to corporate networks.

The gang also participates in the "name and shame" ransomware game dominating the industry. Most recently, Netwalker ransomware operators published the stolen data for K-Electric, Pakistan's largest private power company, after a ransom was not paid. For this attack, operators only disrupted billing services and not the supply of power, but the demand was still an exorbitant $3,850,000 USD.

Mobile Malware in the Financial Sector

CERBERUS - Cerberus hasn't appeared on this list since March of this year, when it was deemed an elite class of mobile malware. The malware has added a Remote Access Trojan (RAT) capability along with the ability to steal device screen-lock credentials and 2FA tokens from Google Authenticator.

According to Kaspersky, in July, the malware's development team had a falling out and opted to auction off the source code. Due to an unclear culmination of factors, the author later decided to publish the project source code for premium users on a popular Russian-speaking underground forum. The researchers note that Cerberus' source code was made available for free to premium members of certain Russian darknet forums. Previously, the Trojan was available as a malware-as-a-service tool.

In June, the FBI warned fraudsters are increasingly using Trojans to target banking customers and disguising the malware as legitimate apps, games, or other tools. The bank website overlay is activated when a mobile banking customer launches their banking app. This triggers the Trojan and prompts a fake login page that overlays the legitimate app to entice the user to provide their login information, according to the FBI.

BLACKROCK - For the third month in a row, the new Android malware dubbed "BlackRock" has appeared on this list. As one of the top mobile malwares available to the criminal underworld, BlackRock comes equipped with a wide range of data theft capabilities allowing it to target over 300 Android applications.

BlackRock has made waves in India to the point that the malware was actually briefed to Parliament on September 17th. “It (BlackRock) can steal credentials from more than 300 apps like email clients, eCommerce apps, messaging/social media apps, entertainment apps, banking, financial apps, etc.,” Minister of State for Electronics and IT Sanjay Dhotre said in a written reply in the Rajya Sabha.

The Indian Computer Emergency Response Team (CERT-In) has published an alert and Dhotre said the government has taken a number of measures to check malicious apps and enable users to protect their mobile phones, including sending alerts and advisories about threats, vulnerabilities, and malware affecting mobile phones along with countermeasures.

ALIEN - As mentioned above, the official Cerberus version was a powerful Android trojan until the team broke up and sold the source code. However, researchers from ThreatFabric have now discovered another Android banking trojan that could replace Cerberus. Dubbed Alien, the malware seems capable enough to serve as the next MaaS (Malware as a Service).

Specifically, Alien is a fork of Cerberus malware. Due to its similarity, the active Alien campaigns are often misunderstood as Cerberus attacks. However, the researchers have made it clear that Alien is a separate malware run by a separate group and appears to have some updated functionality, which includes a TeamViewer-based remote control and notification sniffer.

Alien malware is already active in the wild and is targeting institutions globally. This is because the malware allows threat actors to add personalized targets. According to reports, the malware can presently target 226 different Android apps so far.