For cybercriminals everywhere, it’s still business as usual. The recent global ATM heist that stole a total of $45M showed that orchestrated targeted attacks continue to plague organizations globally.  Legacy approaches to identifying threats are not keeping up with the tactics being used to exfiltrate precious assets and corporate secrets. Although it took money mules withdrawing cash from ATMs in 27 countries to pull off the heist, we will likely see that this was made possible by a very sophisticated targeted attack on third-party card processors in India and the US – as initial reports indicate.

The real debate is how much collateral damage and fallout we’ll see as a result of this attack.  Many of the same technologies and processes are used by other financial institutions.  A weakness here could be used by attackers to target other banks with similar architectures.

It’s a safe bet to assume the attackers were able to acquire  and maintain a persistent foothold in these banking institutions. The attackers carefully picked their target to increase the chances their attack would be successful without being discovered.  Weeks and months of reconnaissance work was more than likely carried out, coupled with covert, clandestine operations once their marks had been made and a foothold was achieved.

These types of targeted attacks are not like other day-to-day threats we information security professionals face.  They are more likely targeted attacks that have a specific purpose in mind. A recent white paper we’ve published discusses the lateral movement that takes place occurs within networks during these types of attacks, and looks at the tools and techniques utilized.

Online banking is increasingly important today, with nearly 94% of the world’s wealth is housed in some form of electronic currency.  It’s no wonder cyber heists are on the rise and the payouts are reaching epic proportions. DDoS (Distributed Denial of Service) attacks as increasing as well, which impacts how we conduct online banking as consumers and businesses.  These attacks can also consume an organization’s technical and human resources, ultimately acting as a distraction.

These incidents show that targeted attacks and cybercrime can act hand in hand. All organizations have to consider this as they incorporate their countermeasures and mitigations moving forward. How can they determine if they are in the cross hairs of a targeted attack and understand the dynamics of any threats they are currently facing?

Organizations need to understand that “targeted attacks” can involve more than just information theft, but can actively damage systems and cause significant financial losses. Tools that are valuable in this field include “padded cells” to test incoming threats that use virtualization sandboxing techniques. Threat intelligence and feedback provided by the Smart Protection Network is invaluable to provide organizations with the tools needed to deal with these attacks and protect their networks.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Two Brazilian government websites have been compromised and used to serve malware since April 24. We spotted a total of 11 unique malware files being distributed from these sites, with filenames that usually include “update”, “upgrade”, “Adobe”, “FlashPlayer” or combinations thereof.  Besides the different filenames, these samples also have different domains where they can connect to download other malicious files, as well as varying command-and-control (C&C) servers.

Based on Smart Protection Network feedback, 90% of the affected customers are from Brazil. Other affected countries include the United States and Angola.

Figure 1. Top affected countries

Infection Chain

The general behavior of these malicious files (detected as TROJ_BANDROP.ZIP) are similar. They drop two files: one executable file (detected as TSPY_BANKER.ZIP) and a supposed GIF file (detected as JAVA_BANKER.ZIP) file in the system’s temporary folder.  The executable file modifies the Windows registry to lower system’s security settings, and ultimately loads the .GIF file.

The “GIF file” is actually a Java file, loaded using the javaw.exe executable, which is part of the Java Runtime Environemnt. JAVA_BANKER.ZIP contains commands that can download and execute files from several pre-configured URLs. The downloaded files are then saved as %User Profile%\update.gif (also detected as JAVA_BANKER.ZIP) and executed. These JAR files use several open source libraries such as Java Secure Channel (JSch) and Java Native Access (JNA). These libraries and can be used for network operations, in particular connecting to an SSH server, port forwarding, file transfers among others.

The final payload of JAVA_BANKER.ZIP is a .JAR file, which elevates the affected user’s administrator right. Given that the attacker has taken control of the system, modifying the victim’s admin rights enables him to modify the normal system file termsvr.dll. This .DLL is mainly used for remote desktop sessions. The malware will replace this file with %Temp%\update.gif.

Malicious Component File Leads to Serious Security Compromise

Based on code analysis, %Temp%\update.gif  is used to enable multiple concurrent remote desktop sessions in the affected system. But what does this mean to users?

For security reasons, remote desktop sessions are limited to just one session at a time. But %Temp%\update.gif creates its own user account (ADM123), which is set as a system adminstrator. Once the system has been set-up for multiple sessions, it notifies its C&C server of the compromise. The remote malicious user then connects to the affected system using the ADM123 account. The remote attacker has now complete control over the system. The attacker has now the capability to perform more damaging commands onto the infected machine. Trend Micro protects users from this threat by detecting and deleting the related malware if found in the system.

Compromising and using government sites to deliver malware is not an unusual practice. Earlier this month, a website of the US Department of Labor was compromised to serve zero-day Internet Explorer exploit. This tactic provides a certain social engineering leverage, as government-related sites are usually deemed safe and secure. But as this incident clearly shows, there is no sacred cow when it comes to cybercrime. Everyone is fair game.

This is the latest development in the rather interesting development in the Brazilian threat landscape, which was lately troubled with a malicious “homemade” browser and other banking Trojans that give Bancos variants a run for their money.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.