SWIFT is aware of a malware that aims to reduce financial institutions' abilities to evidence fraudulent transactions on their local systems. Contrary to reports that suggest otherwise, this malware has no impact on SWIFT's network or core messaging services
Threat Actor
The shared subroutines are displayed as evidence to relate the SWIFT intrusion activity to the Lazarus group. It is believed to be Lazarus group from North Korea, as threat actor. Because, many of this samples contain the similar subroutines. Their findings supported a claim that these were the only two pieces of software with this shared code.
The Anomali Labs team has conducted deeper research into a very large malware data repository. This process utilized the yara signature below to search for the shared subroutines. At first, we believed it would produce a lot of false positives. Instead, this search not only failed to result in any false positives, but also turned up five other pieces of malware which share this code. We see this as a possible attribution of the Lazarus group attacks to other attacks that involved these same five pieces of malware code.
Malware Family | Md5 hash | Notes |
SWIFT BanSwift | 5d0ffbc8389f27b0649696f0ef5b3cfe | evchk.bat dropper |
SWIFT Fake Foxit Reader | 0b9bf941e2539eaa34756a9e2c0d5343 | A Fake Foxit Reader submitted to Virustotal from Vietnam in December 2015 (similar sample detailed athttps://blogs.mcafee.com/mcafee-labs/attacks-swift-banking-system-benefit-insider-knowledge/) |
SMBWorm | 558b020ce2c80710605ed30678b6fd0c | Known North Korean Malware |
Memory dump with SMBWorm | 96f4e767aa6bb1a1a5ab22e0662eec86 | |
Unknown "hkcmd" tool | b0ec717aeece8d5d865a4f7481e941c5 |
1st Submitted from Canada, likely from an AV organization. 2016/04/22.
PE Build Date of December 2010.
|
imkrmig.exe | 5a85ea837323554a0578f78f4e7febd8 | An unknown backdoor posing as a Korean sample of Microsoft Office 2007. |
Table 1. Malware families and samples known to include the Lazarus Wipe File routine.
rule AnomaliLABS_Lazarus_wipe_file_routine {
meta:
author = "aaron shelmire"
date = "2015 May 26"
desc = "Yara sig to detect File Wiping routine of the Lazarus group"
strings:
$rand_name_routine = { 99 B9 1A 00 00 00 F7 F9 80 C2 61 88 16 8A 46 01 46 84 C0 }
/* imports for overwrite function */
$imp_getTick = "GetTickCount"
$imp_srand = "srand"
$imp_CreateFile = "CreateFileA"
$imp_SetFilePointer = "SetFilePointer"
$imp_WriteFile = "WriteFile"
$imp_FlushFileBuffers = "FlushFileBuffers"
$imp_GetFileSizeEx = "GetFileSizeEx"
$imp_CloseHandle = "CloseHandle"
/* imports for rename function */
$imp_strrchr = "strrchr"
$imp_rand = "rand"
$Move_File = "MoveFileA"
$Move_FileEx = "MoveFileEx"
$imp_RemoveDir = "RemoveDirectoryA"
$imp_DeleteFile = "DeleteFileA"
$imp_GetLastError = "GetLastError"
condition:
$rand_name_routine and (11 of ($imp_*)) and ( 1 of ($Move_*))
}
Other previously known Lazarus Group samples:
138464214c78a73e3714d784697745acbf692ef40419d31418e4018e752cb92b
bdcfa3b6ca6b351e76241bca17e8f30cc8f35bed0309cee91966be9bd01cb848
ddebee8fe97252203e6c943fb4f9b37ade3d5fefe90edba7a37e4856056f8cd6
4d4b17ddbcf4ce397f76cf0a2e230c9d513b23065f746a5ee2de74f447be39b9
e2ecec43da974db02f624ecadc94baf1d21fd1a5c4990c15863bb9929f781a0a
eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55
f6cb8343444771c3d03cc90e3ac5f76ff9a4cb9cd41e65c3b7f52b38b20c0c27
Mode of entry - How intrusions usually occur
Even though in this case we do not have all the information about the attack, every intrusion usually follows the steps below:
Gaining access to the internal network
This is the first challenge every external intrusion must overcome. Gaining access to the internal network will allow the attackers to move laterally (gain access to other systems with the same privileges as the one they have accessed) and, eventually, vertically (gaining more privileges in a network).
In order to gain access to the internal network, the attackers use mostly two methods:
-Phishing campaign
A successful phishing campaign targeting the company and deploying a backdoor will allow the attackers to connect to at least one of the computers in the company, from which they can start to move laterally and vertically.
-RCE vulnerability or misconfiguration in the external network
Due to a misconfiguration, or a vulnerability that allows Remote Command Execution (RCE), the attacker will be able to execute commands on the remote host.
This is probably the case for the Bangladesh Bank. The bank was using outdated switches without firewalls to connect to the SWIFT infrastructure.
Taking control of the internal network
Once the attackers have gained access to the internal network, there's usually the need to escalate privileges, all the way up to the user with the most privileges (for example Domain Administrator in Windows networks). This way, they can move freely around the network, entering any system and eventually accessing all the data in the network. This is usually carried-out exploiting vulnerabilities from applications or from the operating system. It's also possible to use social engineering to achieve this goal. In some cases, this second step is not necessary, because the authors may have already accessed the necessary systems to perform the attack.
Files used for the investigation:
MD5: 0b9bf941e2539eaa34756a9e2c0d5343
MD5: 909e1b840909522fe6ba3d4dfd197d93
Entry point:
In the case of the Vietnamese bank, the file used for the attack is a fake version of the popular PDF reader Foxit. The malware installs itself in the original Foxit installation directory and renames the original file to FoxltReader.exe.
Once the user starts using the fake reader, the malware executes and writes to a log file in the temp directory C:\\Windows\temp\\WRTU\ldksetup.tmp. Analyzing this file, we see the log data is XOR encoded using the value 0x47.
Was this malware part of a targeted attack?
Yes, absolutely. As in the malware used against the Bangladeshi bank, we found the SWIFT code for the target in multiple places in the malware.
Yara rules:
rule banswift :banswift {
meta:
description = "Yara rule to detect samples that share wiping function with banswift"
threat_level = 10
strings:
$snippet1 = {8844240DB9FF03000033C08D7C242DC644242C5F33DBF3AB66AB5368800000006A0353AA8B84244010000053680000004050C644242AFF885C242BC644242C7EC644242DE7}
/*
88 44 24 0D mov [esp+102Ch+var_101F], al
B9 FF 03 00 00 movecx, 3FFh
33 C0 xoreax, eax
8D 7C 24 2D lea edi, [esp+102Ch+var_FFF]
C6 44 24 2C 5F mov [esp+102Ch+var_1000], 5Fh
33 DB xorebx, ebx
F3 AB rep stosd
66 AB stosw
53 push ebx ; _DWORD
68 80 00 00 00 push 80h ; _DWORD
6A 03 push 3 ; _DWORD
53 push ebx ; _DWORD
AA stosb
8B 84 24 40 10 00 00 moveax, [esp+103Ch+arg_0]
53 push ebx ; _DWORD
68 00 00 00 40 push 40000000h ; _DWORD
50 push eax ; _DWORD
C6 44 24 2A FF mov [esp+1048h+var_101E], 0FFh
88 5C 24 2B mov [esp+1048h+var_101D], bl
C6 44 24 2C 7E mov [esp+1048h+var_101C], 7Eh
C6 44 24 2D E7 mov [esp+1048h+var_101B], 0E7h
*/
$snippet2 = {25 FF 00 00 00 B9 00 04 00 00 8A D0 8D 7C 24 30 8A F2 8B C2 C1 E0 10 66 8B C2 F3 AB}
/*
25 FF 00 00 00 and eax, 0FFh
B9 00 04 00 00 movecx, 400h
8A D0 mov dl, al
8D 7C 24 30 lea edi, [esp+30h]
8A F2 mov dh, dl
8B C2 moveax, edx
C1 E0 10 shleax, 10h
66 8B C2 mov ax, dx
F3 AB rep stosd
*/
condition:
all of ($snippet*)
}
In the code, we found that the malware uses the original driver fpdsdk.dll from the Foxit SDK to execute the transformation of the files.
IOC details for this bbswift malware:
Malicious IP:
hxxp://196(.)202(.)103(.)174/al?
Network IOC Detection Example for this malware:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"TROJAN Possible BBSwift/Banswift/Bankswi/Alreay/TSPY_ALSOF status report HTTP Outbound"; content:"GET"; http_method; content:"|2F|al|3F 2D 2D 2D|"; http_uri; fast_pattern; pcre:"/^GET\x20.*\x2F\x2D{3}[CNO]$/U"; classtype:trojan-activity; reference:url,baesystemsai.blogspot.com/2016/04/two-bytes-to-951m.html; sid:9000000; rev:1;)
Conclusion
In both attacks we can see that the attackers have done their reconnaissance properly and may have used an insider to get the details they needed to prepare their attacks. In the Bangladeshi case, for example, the malware samples are tuned to the environment and how the banking system operates, including the supported software, databases, and printer. In the Vietnamese case, the malware is also tuned to fit the environment. The attackers knew that the bank used Foxit and replaced it with a fake version. The attackers have a very good understanding of the SWIFT messaging system and how to manipulate the system to prevent the detection of their fraudulent attempts of transferring the money. The malware in each attack was compiled just before the attack happened.
Although both attacks were discovered at some point during the attempts to transfer large amounts of money, the actors may well have executed a few test runs to check their operations before the real attacks.
Post made by
References: