2018 has been a tough start for international banking system SWIFT. A report from the Russian Central Bank said hackers stole $6 million in an attack on the SWIFT network last year. That attack, like previous attacks in Bangladesh relied on attackers targeting the SWIFT terminals inside banks. The attacks led to SWIFT creating its own blockchain project to improve security.
Attackers have now changed their focus to enterprise customers. The latest attack, detected by Comodo Labs, uses a phishing email to drop malware onto computers. The email is sent to accounts departments and tells them about a: “wire bank transfer to your designated bank account.” It then tells the user that the details are in the attachments.
According to Fatih Orhan, head of Comodo Threat Research Lab: “..cybercriminals more and more often use finance-related topics as a bait to make users download malware and infect an enterprise’s network. They combine technical and human patterns as an explosive combination for breaking down the door to let the malware in. But it only works if the company has been careless about the right defense of that door.”
What does the attack do?
Once the user clicks on the attachments it installs the Trojan.JAVA.AdwindRAT malware. The Adwind/RAT has been around for several years although it seemed to disappear in early 2017. There are variants that will infect both Windows and Mac.
This version, detected by Comodo, is targeting Windows-based machines. According to the Comodo Labs team: “Once it has penetrated a user’s system, it modifies the registry, spawns many processes, checks for an antivirus installation and tries to kill its process.
“Additionally, the malware checks for the presence of forensic, monitoring or anti-adware tools, then drops these malicious executable files and makes a connection with a domain in the hidden Tor network. The malware also tries to disable the Windows restore option and turns off the User Account Control feature, which prevents installing a program without the actual user being aware.”
Comodo Labs believe that this is not initially about stealing data. They say that this is a reconnaissance mission designed to test the defences of a network. However, as this is a Remote Access Trojan (RAT), the attackers can drop new payloads when they are ready.
The attack has been traced to IP addresses in Cyprus, the Netherlands and Turkey. The entire campaign took about nine hours on Feb 9th.
What does this mean?
Like many phishing emails this relies on social engineering. The attackers are hoping that users will accept that the email is from SWIFT and open the attachments. As with any email containing attachments, users should check the email address to see if they recognise it. If not, they should treat it as suspicious unless proven otherwise. Even when the address looks right they should ask themselves why the email has been sent to them.
The use of messages pretending to come from SWIFT is just another attempt to make it look official. Accounts teams that use the SWIFT system should be used to the correct format and layout of those emails. This email should stand out as being different and therefore suspicious.
As with all phishing attacks user education is a quick way to reduce the risk.