Profit-driven attackers have been trying to infiltrate the finance departments of small and medium-sized businesses in the U.K., the U.S. and India in an effort to steal money from their bank accounts, Symantec has warned.
According to the security firm, the campaign was launched in early 2015 and it initially focused on India, with some targets located in the United States and other countries. Over the past few months, the malicious activity intensified in the United Kingdom and dropped in the U.S. and India.
Overall, more than half of malware infections associated with this campaign have been observed in India, with the rest being almost equally split between the U.S. and the U.K. The cybercriminals don’t target firms from specific sectors and instead attempt to breach the systems of any type of business.
The attackers have been using spoofed or stolen accounts to send out emails with subjects related to payments and financial inquiries to people working in the targeted company’s finance department. Based on the time of day most emails have been sent — afternoon GMT or morning EST time — Symantec believes the cybercrooks are likely based in Europe or the United States.
The malicious emails carry one of two remote access Trojans (RATs), which Symantec detects as Backdoor.Breut, better known as DarkComet, and Trojan.Nancrat. The piece of malware that is used seems to depend on the target’s location — Breut has been used against targets in India and other countries, while Nancrat has been spotted in attacks aimed at the U.K.
Once the malware has been deployed, it gives the attackers complete control over the infected machine, including access to the webcam and microphone, and the ability to log keystrokes and steal files and passwords.
“The attackers have been observed using the targeted employee’s privileged access to transfer money to an account under their control,” Symantec explained in a blog post. “Once a computer is compromised, the attackers spend time assessing it to find out how to steal the money. In some cases, attackers have been known to even download manuals to figure out how to use certain financial software. After they are finished with the computer, they return to sending emails to other targets. This suggests that there are a small number of attackers involved in these campaigns.”
The attackers initially used three command and control (C&C) servers for Breut. In August 2015, they set up three different servers for the RAT, assigning one of the initial servers to Nancrat.
Researchers believe the attackers might have divided responsibilities, with different members of the group being assigned to different countries.
Financially-motivated cybercriminals can make a significant profit by targeting employees who are in charge of a company’s finances. In the case of large organizations, they might not even have to rely on malware to achieve their goals.
Security blogger Brian Krebs recently presented a case where the accounting director of a Texas manufacturing firm was tricked into sending $480,000 to an account at a Chinese bank. The attackers sent the director a series of emails apparently coming from the company’s CEO, instructing him to send the money to an account they controlled. The victim only became suspicious after the cybercrooks sent instructions for a second payment of $18 million.