Security Experts:

Connect with us

Hi, what are you looking for?



New Trojan Used in Attacks Against SWIFT Member Banks

A second hacking group has been targeting SWIFT banks, according to a new report from Symantec.

A second hacking group has been targeting SWIFT banks, according to a new report from Symantec. The group is thought to be, or be linked to, Carbanak; and is not believed to have any direct connection to the Lazarus group thought to be behind the theft of $81 million from the Bangladesh central bank and attacks in Vietnam and Ecuador earlier this year.

The discovery comes with the analysis of a new trojan found to be infecting several Symantec customers. The trojan has been called Trojan.Odinaff. Symantec reports that has been targeting “a number of financial organizations worldwide… focused on organizations operating in the banking, securities, trading, and payroll sectors.”

Odinaff bears a number of similarities to Carbanak and its primary tool Anunak (Carberp). These include similar modus operandi, several identical C&C server addresses, and the use of Backdoor.Batel. “While it is possible that Odinaff is part of the wider [Carbanak] organization, the infrastructure crossover is atypical, meaning it could also be a similar or cooperating group.”

Symantec does not say whether Odinaff has been found in any SWIFT banks; but its analysis of the malware suggests that it has been used to target SWIFT banks. “Symantec has found evidence that the Odinaff group has mounted attacks on SWIFT users, using malware to hide customers’ own records of SWIFT messages relating to fraudulent transactions,” writes Symantec.

In August SWIFT Chief Executive Gottfried Leibbrandt warned customers that cyber attacks are likely to increase. “Customers’ environments have been compromised, and subsequent attempts (were) made to send fraudulent payment instructions. The threat is persistent, adaptive and sophisticated – and it is here to stay.” There is no specific indication that the warning is linked to Symantec’s research on Odinaff.

However, such a link has been made by Reuters: “SWIFT spokeswoman Natasha de Teran said that the messaging cooperative’s customer security intelligence team had sent a warning about Odinaff’s activities to its members in the early summer.”

Odinaff is thought to be delivered via spear-phishing. Two known methods include the use of a malicious MS Office macro in an attachment, and an attached password protected RAR archive. If the macro is activated, or the RAR archive accessed, the Odinaff trojan is installed.

Odinaff is the initial infection — a lightweight backdoor trojan that polls its C&C server every five minutes. This allows additional malware to be installed. The SWIFT-specific tools “are designed to monitor customers’ local message logs for keywords relating to certain transactions. They will then move these logs out of customers’ local SWIFT software environment.” The folder structure used by the attackers seems “to be largely user defined and proprietary, meaning each executable appears to be clearly tailored to for a target system.”

One of the files found by Symantec is a wiper — it overwrites the drive’s MBR. “We believe this tool is used to cover the attackers’ tracks when they abandon the system and/or to thwart investigations.” That would certainly be useful in any SWIFT-style attack, aimed at giving the attackers time to move stolen money out of the immediate reach of investigators.

Such precise and labor-intensive targeting is often indicative of state-sponsored actors. The Lazarus group that hacked the Bangladesh bank has been linked to the group that hacked Sony — which in turn was blamed by the US government on North Korea (although not necessarily by Symantec). In this instance, however, Symantec has said that it does not believe Carbanak/Odinaff is state-sponsored. Symantec researcher Eric Chien told Reuters that Odinaff “appears to be a financially motivated criminal group, not a nation state”.

Odinaff is not merely targeting SWIFT. According to Symantec’s research it has been involved in attacks in the US, Hong Kong, Australia, the UK, Ukraine and Ireland. Thirty-four per cent of these attacks were against the financial sector. Another “60 percent of attacks were against targets whose business sector was unknown, but in many cases these were against computers running financial software applications, meaning the attack was likely financially motivated.”

Carbanak is believed to be responsible for thefts totaling more than $1 billion dollars stolen from 100 different banks over a period of two years.

On Tuesday, the G7 group of nations outlined out a new framework for defending financial institutions against cyber attacks, just as the latest threat to the SWIFT interbank network came to light.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.