Connect with us

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website. .


How a New Malspam Attack is Determined to Hack a Bank

How a New Malspam Attack is Determined to Hack a Bank

By Homer Pacag, Security Researcher at Trustwave

Using malware infected spam (or malspam for short) to attack targets is one of the oldest tricks in the cybercriminal book, but attackers frequently use old techniques with new twists to catch victims out.

In August, our threat detection team uncovered an unusual, new approach to malspam in a campaign that appeared to be exclusively targeting banks.

We first spotted the campaign in mid-August, and it reappeared again later in the month. The attack used the ever-popular technique of sending a malware-infected fake invoice to targets to trick them into opening the file and executing hidden malware.However, this came with a new development we hadn’t seen before.

Rather than the usual infected Word or PDF documents, the attackers instead used Microsoft Publisher, a program generally reserved for editing a document’s layout rather than composing and editing a simple file like an invoice. Seeing a .pub document with a filename like “Payment Advice” was unusual enough to prompt a more in-depth investigation from our team.

The hidden malware

Opening the attached .pub will prompt the user to “Enable Macros”, which may appear as “Enable Editing” or “Enable Content” in some older versions of Microsoft Publisher. Accepting the command will activate a hidden download link for a self-extracting archive containing a backdoor tool known as the FlawedAmmyy RAT (Remote Access Trojan).

FlawedAmmyy has been used in attack campaigns since 2016, usually targeting specific companies in industries such as the automotive sector. A large attack was detected in July 2018, this time using PDF documents.

Based on the leaked source code of a remote access admin tool, the malware has several abilities including a remote desktop tool and a file system manager. Once a machine has been infected with FlawedAmmyy, the attacker is able to remotely take control and perform a number of malicious actions. They can begin exfiltrating data or installing further malware with other capabilities and can use the compromised machine to email other users at the organisation under the guise of the commandeered email address.

What makes this attack different?

The use of .pub files rather than or PDFs makes this campaign rather unusual. We can’t be certain of the attacker’s motivation for the switch up, but it appears to come as part of a prolonged campaign using different techniques. With further investigation, it quickly became apparent that this group have been repeatedly experimenting with their attack method in recent months.

A week after the initial discovery, we found the campaign had re-emerged, this time with the Windows Publisher files being embedded within a PDF. Hiding executable items inside a PDF is a popular tactic with this group, and the same technique was used for most of the previous FlawedAmmyy attacks.

After some further digging, we were able to identify several different cases likely stemming from the same attackers. They all used the FlawedAmmyy malware embedded in documents and were exclusively targeting banks, but frequently changed other elements, such as using different subject lines and other file types like Excel IQY.

It also appears that the campaign originates from the notorious Necurs botnet, which has been responsible for several very large-scale malware distribution campaigns over the last couple of years, for example WannaCry which hit the NHS in May 2017. However, this most recent example is notable for being of a much smaller scale and only targeting domains belonging to banks.

Should banks be worried?

The amount of evidence we have uncovered so far indicates that this group is very persistent in their goal of infecting a banking organisation with the FlawedAmmyy malware. This is unsurprising as compromising an endpoint device within a bank with the remote access trojan is something of a holy grail for a cybercrime group. A successful infection would potentially allow for further attacks, including stealing large amounts of confidential data, transferring funds, or even accessing the banking system itself.

After the recent spree of different attack patterns, we can anticipate that the attackers will continue to experiment with different combinations of file types and text until they are finally able to successfully infect a bank with malware.

Banks around the world should be on their guard for the appearance of this attack. As with past malspam attacks, this latest campaign relies on poor user awareness to succeed. Banks should consider strengthening their security training so that all users are aware of the threat posed by unknown files in their inbox. There should be a clear policy in place about handling and reporting and suspicious emails.

Taking it a step further, banks should also ensure they have the ability to closely inspect inbound document files at the email gateway. This will enable them to detect hidden files and macros that have been embedded within apparently benign files. It may also be advisable to block files like Excel IQY at the email gateway as they are increasingly being used to evade security measures and execute malware downloads.

Research also contributed by Phil Hay, Research Manager, Trustwave

Global Banking & Finance Review


Why waste money on news and opinions when you can access them for free?

Take advantage of our newsletter subscription and stay informed on the go!

By submitting this form, you are consenting to receive marketing emails from: Global Banking & Finance Review │ Banking │ Finance │ Technology. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Post