Financial malware more than twice as prevalent as ransomware

Financial malware more than twice as prevalent as ransomware

Please attribute to, Dr.Rattipong Putthacharoen  System Engineer Lead – Thailand and CLM Symantec

February 12,  2018 – Financial threats are still profitable for cyber criminals and therefore continue to be an enduring part of the threat landscape. From financial Trojans that attack online banking, to attacks against ATMs and fraudulent interbank transactions, there are many different attack vectors utilized by criminals.

As we had predicted in 2015, we saw an increase in attacks against corporations and financial institutions themselves during 2016. This was evidenced with a series of high-value heists targeting Society for Worldwide Interbank Financial Telecommunication (SWIFT) customers. While there is no evidence of any such high value heists on SWIFT customers this year, the 2016 attacks saw several such institutions lose millions to cyber criminals and nation state supported attackers such as the Lazarus group.

On average, 38 percent of the financial threats we detected in 2016 were found in large business locations. Most of these infection attempts were not targeted attacks but were instead due to widespread email campaigns. Although we have seen a 36 percent decrease in detection numbers for financial malware in 2016, this is mainly due to earlier detection in the attack chain and more focused attacks.

With more than 1.2 million annual detections, the financial threat space is still 2.5 times bigger than that of ransomware. For example, the number of Ramnit (W32.Ramnit) detections approximately equaled all ransomware detections combined. The financial Trojan threat landscape is dominated by three malware families: Ramnit, Bebloh (Trojan.Bebloh), and Zeus (Trojan.Zbot). These three families were responsible for 86 percent of all financial Trojan attack activity in 2016. However, due to arrests, takedowns, and regrouping, we have seen a lot of fluctuations over the last year. For example, Bebloh has all but vanished in 2017 after the Avalanche takedown. Many new variants of these families have appeared or re-appeared on the market, focusing on filling specific niches. The attackers mainly use scam email campaigns with little variation and simple attachments. For example, one single Bebloh sample was responsible for 55,000 global detections in 2016.

Japan was the main focus of financial Trojans Bebloh and Snifula (Trojan.Snifula) in 2016, with more than 90 percent of their activity focusing on the country. It is unclear why these two threats shifted their attention but there are indications that they use a shared resource for attacking similar targets. Globally,

financial institutions in the U.S. were targeted the most by the samples analyzed by Symantec, followed by Poland and Japan.

Infection vectors for financial Trojans haven’t changed much in the past year and are still identical to other common Trojans. Distribution mainly relies on spam email with malicious droppers attached and web exploit toolkits. The use of scam emails was the most prevalent method of distribution for financial Trojans in 2016. The already well known Office document attachment with malicious macros continued to be widely used. However, Microsoft Visual Basic Scripting (VBS) and JavaScript (JS) files in various attachment

forms have also been used in massive spam runs to distribute malware. We have also seen Office documents without macros, and instead with embedded OLE objects and instructions for the user to double click the payload. The Necurs botnet (Backdoor.Necurs), which sent out more than 1.8 million JS

downloaders on one day alone in November 2016, highlights the magnitude of some of these campaigns.

Phishing emails, where the victim is lured to fake websites that trick them into revealing their account details, decreased to just 1 in 9,138 emails in March 2017. In 2016, the average number of phishing emails was slightly higher than 1 in 3,000 emails. Simple phishing no longer works against most banks and financial institutions, as they rarely rely on static passwords alone. However, phishing attacks can still be

successful in stealing online retail account credentials and credit card details.

ATM and point of sales (POS) attacks continued to increase in 2016. ATM malware has been around for 10 years but is still effective. With the increase of targeted attacks aimed at banks, we also saw an increase in attacks against ATMs from within the financial network. There are many active ATM and POS threat families, such as Ploutus (Backdoor.Ploutus), Flokibot, Trojan.Skimer, FastPOS (Infostealer.Fastpos), Infostealer. Poslit, Infostealer.Donpos, Infostealer.Jackpos, Infostealer. Scanpos, and Backdoor.Pralice to name just a few. Since the adoption of Chip & PIN has begun to spread outside of Europe, we have seen a decrease of classic memory scraping threats, as they are no longer efficient for the attackers.

There are various degrees of sophistication seen in the wild when it comes to ATM attacks. For some attacks the criminals need physical access to the ATM computer and they get this by opening the cover with a stolen key or picking the lock.

Once they have access to a USB port or the CD-ROM they can install malware and attach a keyboard to issue commands (the Ploutus malware uses this attack vector). Similar attacks have been reported in hotels where attackers used the often exposed USB ports on the backside of the check-in computers to install malware. Or in retail stores where the attackers added their sniffer to an exposed network port inside the shop. This allows them to compromise any attached POS device and scrape the memory for payment card information.

With physical access to the ATM another attack vector is possible. As reported in April 2017, some attackers discovered they could drill a hole into the ATM casing in order to access to the internal bus system. Once access is obtained, a cheap microcomputer is all that is needed to send commands to the bus in order to make the ATM dispense its cash.

We have also seen trends in financial malware attempting to hide configuration files from researchers as well as the move to redirection attacks or even manually logging into the system to issue large transactions if interesting financial software is detected.

Mobile threats on Android are mainly focusing on form overlay attacks or fake online banking apps. We have seen more than 170 mobile apps targeted by mobile malware. Mobile threats are still relevant as many financial institutions have deployed two-factor authentication through mobile phone applications.

As it has become more difficult to conduct such attacks on the latest Android OS, we have seen attackers reverting to social engineering attacks, where they trick victims into authorizing fraudulent transactions. The end user still remains the weakest link in the chain during an online transaction, which means even the strongest technologies are susceptible to social engineering attacks.

When a cyber attacker successfully compromises an internal network, they can steal any credentials that will help maximize their profits. This could mean stealing online banking credentials, sensitive personal data or other passwords. It is common for financial threats to steal any other account information that they can find on a compromised computer.

Once compromised, cyber attackers can use any stolen information to spread their malware further, or even sell them on underground forums. Credit card details are still the most sold digital goods on the underground forums, while bank account access information is priced according to the account balance. For example, an account with US$1,000 in it can be sold for US$10[1]. An account with a greater balance will be on sale for a larger sum.

The attacks are not only targeting the banks’ customers. We have seen several attacks against the financial institutions themselves, with attackers attempting to transfer large sums in fraudulent interbank transactions. Financial institutions are confronted with attacks on multiple fronts. The main two types are attacks against their customers and attacks against their own infrastructure.

In the event of a cyber breach, companies’ losses extend far beyond just monetary value. Their reputation and customers’ trust – areas that take time and effort to develop – will also be damaged. We expect financial threats to remain a problem for end users in the future, but attackers will likely increase their focus on corporate finance departments and using social engineering against them. Prevention is by far the best outcome so it pays to pay attention to how cyber breaches can be avoided. Email and infected websites are the most common infection vectors for malware. Adopting a robust defense against both these infection vectors will help reduce the risk of infection.

We expect financial threats to remain a problem for end users in the future, but attackers will likely increase their focus on corporate finance departments and using social engineering against them.

Adopting a multilayered approach to security minimizes the chance of infection. Symantec has a strategy that protects against malware, including financial threats, in three stages:

  • Prevent: Block the incursion or infection and prevent the damage from occurring
  • Contain: Limit the spread of an attack in the event of a successful infection
  • Respond: Have an incident response process, learn from the attack and improve the defenses

[1] Symantec ISTR Financial Threats Review 2017