A second hacking group has been targeting SWIFT banks, according to a new report from Symantec. The group is thought to be, or be linked to, Carbanak; and is not believed to have any direct connection to the Lazarus group thought to be behind the theft of $81 million from the Bangladesh central bank and attacks in Vietnam and Ecuador earlier this year.
The discovery comes with the analysis of a new trojan found to be infecting several Symantec customers. The trojan has been called Trojan.Odinaff. Symantec reports that has been targeting “a number of financial organizations worldwide… focused on organizations operating in the banking, securities, trading, and payroll sectors.”
Odinaff bears a number of similarities to Carbanak and its primary tool Anunak (Carberp). These include similar modus operandi, several identical C&C server addresses, and the use of Backdoor.Batel. “While it is possible that Odinaff is part of the wider [Carbanak] organization, the infrastructure crossover is atypical, meaning it could also be a similar or cooperating group.”
Symantec does not say whether Odinaff has been found in any SWIFT banks; but its analysis of the malware suggests that it has been used to target SWIFT banks. “Symantec has found evidence that the Odinaff group has mounted attacks on SWIFT users, using malware to hide customers’ own records of SWIFT messages relating to fraudulent transactions,” writes Symantec.
In August SWIFT Chief Executive Gottfried Leibbrandt warned customers that cyber attacks are likely to increase. “Customers’ environments have been compromised, and subsequent attempts (were) made to send fraudulent payment instructions. The threat is persistent, adaptive and sophisticated – and it is here to stay.” There is no specific indication that the warning is linked to Symantec’s research on Odinaff.
However, such a link has been made by Reuters: “SWIFT spokeswoman Natasha de Teran said that the messaging cooperative’s customer security intelligence team had sent a warning about Odinaff’s activities to its members in the early summer.”
Odinaff is thought to be delivered via spear-phishing. Two known methods include the use of a malicious MS Office macro in an attachment, and an attached password protected RAR archive. If the macro is activated, or the RAR archive accessed, the Odinaff trojan is installed.
Odinaff is the initial infection — a lightweight backdoor trojan that polls its C&C server every five minutes. This allows additional malware to be installed. The SWIFT-specific tools “are designed to monitor customers’ local message logs for keywords relating to certain transactions. They will then move these logs out of customers’ local SWIFT software environment.” The folder structure used by the attackers seems “to be largely user defined and proprietary, meaning each executable appears to be clearly tailored to for a target system.”
One of the files found by Symantec is a wiper — it overwrites the drive’s MBR. “We believe this tool is used to cover the attackers’ tracks when they abandon the system and/or to thwart investigations.” That would certainly be useful in any SWIFT-style attack, aimed at giving the attackers time to move stolen money out of the immediate reach of investigators.
Such precise and labor-intensive targeting is often indicative of state-sponsored actors. The Lazarus group that hacked the Bangladesh bank has been linked to the group that hacked Sony — which in turn was blamed by the US government on North Korea (although not necessarily by Symantec). In this instance, however, Symantec has said that it does not believe Carbanak/Odinaff is state-sponsored. Symantec researcher Eric Chien told Reuters that Odinaff “appears to be a financially motivated criminal group, not a nation state”.
Odinaff is not merely targeting SWIFT. According to Symantec’s research it has been involved in attacks in the US, Hong Kong, Australia, the UK, Ukraine and Ireland. Thirty-four per cent of these attacks were against the financial sector. Another “60 percent of attacks were against targets whose business sector was unknown, but in many cases these were against computers running financial software applications, meaning the attack was likely financially motivated.”
Carbanak is believed to be responsible for thefts totaling more than $1 billion dollars stolen from 100 different banks over a period of two years.
On Tuesday, the G7 group of nations outlined out a new framework for defending financial institutions against cyber attacks, just as the latest threat to the SWIFT interbank network came to light.
