In February 2017, numerous Polish banks reported seeing previously-undetected malware variants in their systems. The affected banks reported unusual behavior, including network traffic to foreign locations, encrypted executables, and malware on user workstations. Analysis of the malware revealed that once downloaded to the workstation, it connected to foreign servers and performed network reconnaissance, lateral movement and data exfiltration.
The malware was suspected to have been hosted on the website of the Polish Financial Supervision Authority, the country’s financial regulatory body. Interestingly, researchers also discovered evidence that the code used in the attack is similar to the ones used in incidents involving the National Banking and Stock Commission of Mexico and a bank in Uruguay.
There are indications that the attacks on the Polish bank are part of a larger global campaign that has targeted 104 financial organizations across 31 countries. The perpetrators of the campaign compromise the websites of their target organizations by injecting them with malicious code that redirects visitors to an exploit kit that installs the malware. The exploit kit is a custom one designed to infect visitors—specifically those who are using the IP addresses owned by the target financial organizations.
Initial reports have noted that some tools used by the malware share characteristics with malware used by the cybercrime group known as Lazarus, which is believed to have been behind a string of high profile attacks involving financial organizations, notably the 2016 incident targeting the Bangladesh Central Bank.
This current incident shows that financial organizations still face a large number of threats from determined cyber criminals. There is a continuous need for vigilance and proper security measures to prevent any potential attacks, especially ones on a global scale, from succeeding.
Trend Micro is currently analyzing the malware variants, which we have detected under the following detection names:
Financial organizations can protect their network with advanced solutions that can detect, analyze and respond to potential threats from even the most determined attackers. Here are a few of Trend Micro’s recommendations.
Trend Micro™ Deep Discovery™ provides real time protection against targeted attacks. It can detect targeted attacks and targeted ransomware anywhere in the network. It comes with smart XGen™ technology which utilizes a blend of cross-generational techniques that apply the right technology at the right time, resulting in the highest detection rate possible.
Trend Micro™ Office Scan™ protects the organization’s users and corporate information by providing multiple layers of XGen™ security protection. It includes a comprehensive list of features such as machine learning, behavioral analysis, exploit protection, advanced ransomware protection, application whitelisting, sandbox integration and more.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.