Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



New Trojan Used in Attacks Against SWIFT Member Banks

A second hacking group has been targeting SWIFT banks, according to a new report from Symantec.

A second hacking group has been targeting SWIFT banks, according to a new report from Symantec. The group is thought to be, or be linked to, Carbanak; and is not believed to have any direct connection to the Lazarus group thought to be behind the theft of $81 million from the Bangladesh central bank and attacks in Vietnam and Ecuador earlier this year.

The discovery comes with the analysis of a new trojan found to be infecting several Symantec customers. The trojan has been called Trojan.Odinaff. Symantec reports that has been targeting “a number of financial organizations worldwide… focused on organizations operating in the banking, securities, trading, and payroll sectors.”

Odinaff bears a number of similarities to Carbanak and its primary tool Anunak (Carberp). These include similar modus operandi, several identical C&C server addresses, and the use of Backdoor.Batel. “While it is possible that Odinaff is part of the wider [Carbanak] organization, the infrastructure crossover is atypical, meaning it could also be a similar or cooperating group.”

Symantec does not say whether Odinaff has been found in any SWIFT banks; but its analysis of the malware suggests that it has been used to target SWIFT banks. “Symantec has found evidence that the Odinaff group has mounted attacks on SWIFT users, using malware to hide customers’ own records of SWIFT messages relating to fraudulent transactions,” writes Symantec.

In August SWIFT Chief Executive Gottfried Leibbrandt warned customers that cyber attacks are likely to increase. “Customers’ environments have been compromised, and subsequent attempts (were) made to send fraudulent payment instructions. The threat is persistent, adaptive and sophisticated – and it is here to stay.” There is no specific indication that the warning is linked to Symantec’s research on Odinaff.

However, such a link has been made by Reuters: “SWIFT spokeswoman Natasha de Teran said that the messaging cooperative’s customer security intelligence team had sent a warning about Odinaff’s activities to its members in the early summer.”

Odinaff is thought to be delivered via spear-phishing. Two known methods include the use of a malicious MS Office macro in an attachment, and an attached password protected RAR archive. If the macro is activated, or the RAR archive accessed, the Odinaff trojan is installed.

Advertisement. Scroll to continue reading.

Odinaff is the initial infection — a lightweight backdoor trojan that polls its C&C server every five minutes. This allows additional malware to be installed. The SWIFT-specific tools “are designed to monitor customers’ local message logs for keywords relating to certain transactions. They will then move these logs out of customers’ local SWIFT software environment.” The folder structure used by the attackers seems “to be largely user defined and proprietary, meaning each executable appears to be clearly tailored to for a target system.”

One of the files found by Symantec is a wiper — it overwrites the drive’s MBR. “We believe this tool is used to cover the attackers’ tracks when they abandon the system and/or to thwart investigations.” That would certainly be useful in any SWIFT-style attack, aimed at giving the attackers time to move stolen money out of the immediate reach of investigators.

Such precise and labor-intensive targeting is often indicative of state-sponsored actors. The Lazarus group that hacked the Bangladesh bank has been linked to the group that hacked Sony — which in turn was blamed by the US government on North Korea (although not necessarily by Symantec). In this instance, however, Symantec has said that it does not believe Carbanak/Odinaff is state-sponsored. Symantec researcher Eric Chien told Reuters that Odinaff “appears to be a financially motivated criminal group, not a nation state”.

Odinaff is not merely targeting SWIFT. According to Symantec’s research it has been involved in attacks in the US, Hong Kong, Australia, the UK, Ukraine and Ireland. Thirty-four per cent of these attacks were against the financial sector. Another “60 percent of attacks were against targets whose business sector was unknown, but in many cases these were against computers running financial software applications, meaning the attack was likely financially motivated.”

Carbanak is believed to be responsible for thefts totaling more than $1 billion dollars stolen from 100 different banks over a period of two years.

On Tuesday, the G7 group of nations outlined out a new framework for defending financial institutions against cyber attacks, just as the latest threat to the SWIFT interbank network came to light.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...