Malware Targeting the Financial Sector - Part 1

January 23, 2020 | 3 min read


“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

BlueVoyant’s December 2019 research of malware targeting the financial sector shows Ryuk leading the pack, with BitPaymer, Dexphot, and DopplePaymer finishing out the top malware families. These are often delivered by other malware, including Emotet, Trickbot, and Dridex. Ryuk Ransomware Ryuk ransomware was responsible for over 22% of ransomware attacks, across all industry sectors, in Q3 2019. It is nearly at the $4 million mark in ransom payouts. The malware is derived from the Hermes ransomware and operated by the Russian criminal group Wizard Spider. Ryuk ransomware targets larger organizations in the U.S., U.K., and Canada for a high-ransom return. Ryuk is often distributed through the TrickBot malware, which is mostly delivered through spam campaigns or through the use of Emotet (developed and operated by Mummy Spider). Ryuk ransomware does not take the normal precautions to ensure host stability as other ransomware families do. As a general rule, ransomware has a whitelist of files that are not to be encrypted. Ryuk on the other hand, only excludes .exe and .dll files. Additionally, Ryuk will attempt to encrypt all mounted drives and hosts that have IPs. If the malware determines the drive is not a CD ROM, the drive is encrypted. Bitpaymer Ransomware Bitpaymer was first identified in August 2017 and is tied to the criminal group Indrik Spider. The original source code has spawned new families, such as DoppelPaymer. Bitpaymer has had at least fifteen confirmed ransom attacks since November of 2018. Bitpaymer is typically distributed through the Dridex malware, which spreads through compromised websites and fake software updates. Other associated malwares include Azorult and Chthonic. Each Bitpaymer binary is specially prepared for every single target. It includes the extension name and the company name in the ransomware note. The group is responsible for using the GameOver Zeus botnet (disrupted in 2014). The botnet is believed to have infected over one million computers, causing damages in excess of $100 million across businesses and financial institutions worldwide. Dexphot Cryptominer Microsoft discovered Dexphot in October 2018. The malware runs a complicated series of actions to infect and hijack systems for crypto-mining. One of the operations employed is known as process hollowing. It is a fileless technique that makes use of legitimate system processes by hollowing them out and filling them with malicious code. Another operation of the Dexphot malware is polymorphism, a technique that uses different names for the malicious files in an attack. Polymorphism varies from one attack to the next so they cannot be added to security nets. Dexphot appears to be second-stage malware from a dropped file on hosts previously infected with ICloader malware. DoppelPaymer Ransomware Researchers at CrowdStrike believe that some members of Indrik Spider have split off to create their own criminal operation. Bitpaymer and Dridex source code appears to have been forked to create DoppelPaymer. The first known victims of DoppelPaymer appeared in June 2019 and since then, ransom amounts have varied from $25k to $1.2 million. Much of the same tactics and techniques of Bitpaymer are still at work in DoppelPaymer, but there are some significant differences. Numerous modifications were made to the Bitpaymer source code to improve and enhance DoppelPaymer’s functionality. For instance, file encryption is now threaded. This can increase the rate at which files are encrypted. The network enumeration code was updated to parse the victim system’s Address Resolution Protocol (ARP) table. The resulting IP addresses of the other hosts on the local network are combined with domain resolution results via nslookup.exe. In next week’s blog, Malware Targeting the Financial Sector - Part 2, we’ll look at the Maze, Nemty, Predator the Thief and MedusaLocker ransomware.

Related Reading