Much has been reported and discussed about the bank heists that affected Bangladesh, Vietnam, and Ecuador. All three cases involved the Society for Worldwide Interbank Financial Transfers (SWIFT), a system used by financial/banking institutions worldwide for communicating financial messages or instructions, and has more than 10,000 customers from the financial sector: banks, brokerage institutions, foreign exchanges, and investment firms, among others. These high-profile attacks pose the question of how the attackers could gain foothold and authorization to do the transaction or payment order? What tools were used? And what security controls have to be in place that can detect these suspicious activities?
The perpetrators behind the sophisticated cyber theft attempt against Tien Phong Commercial Joint Stock Bank in Vietnam late last year used tools specifically designed to target SWIFT messaging network and edit SWIFT messages in order to steal money. It also appeared that these attackers have in-depth knowledge on SWIFT and how banks employed this platform, including how banks operate. One indication of this is how they (the perpetrators) leveraged Foxit reader, a free tool for editing, viewing, and creating PDF files for their social engineering lure in the attack against the Vietnamese bank. Through reconnaissance, they were able to know that this particular bank may be using this type of PDF reader in their operations.
Six out of eight targeted banks—their SWIFT codes are hardcoded in the malware—are located in Asia Pacific and the other two in the United States and Europe. We believe that it’s no coincidence that most of their targets are based in Asia. These cyber crooks are perhaps familiar in the banking landscape and challenges of cybersecurity in the region. Despite major improvements in security, certain banks in Asia still lag behind those in US and Europe. A number of regional banks do not allocate larger budget or invest on better security technologies/solutions despite recognizing the importance of security. The lack of cross-border coordination in certain Asian countries could prove to be a hindrance in solving cybercrime. Based on a study in 2015, another security gap in Asia is the lack of private-public partnerships that can address concerns related to cybersecurity.
Removing traces and tracks
We took a look at the tool used (detected as TSPY_TOXIFBNKR.A) in the attack against the Vietnamese bank. This tool has three main tasks/functions when executed on systems running SWIFT. First, it modifies bank transactions via SWIFT messages in PDF files. However, the malware only works if the malicious Foxit reader is the default application for reading PDF files, or if users manually select this application to open the file containing SWIFT messages. Second, the malware deletes any traces of its activities, including failed attempts at modifications. One of the items it deletes is data logs found in the table containing the ins and outs of bank transactions. Lastly, it logs and provides detailed descriptions of its activities. Below is a diagram of the infection chain. We’re still monitoring this threat for any updates and additional findings.
Figure 1. Infection chain of TSPY_TOXIFBNKR.A
Banking institutions are profitable targets, in more ways than one. The perpetrators behind this attack or operation took their time in learning about their targets and the SWIFT platform in order to abuse the latter and penetrate the targeted banks’ networks. Attackers behind this operation/s also deviated from the usual tactic of compromising the network and stealing confidential data, or using malware to get user’s personal identifiable information (PII) and credentials to sell in the underground.
This cyberattack shows how vulnerable banks can be and the dire consequences of having security gaps in one’s perimeter. It also brings to the fore the importance of securing all bases, including controls and accesses related to global money transfers. In a statement released by SWIFT organization, they advised their customers to monitor their controls set up for online banking payments, and messaging channels, including password protection as a preventive measure. In addition, SWIFT’s CEO Gottfried Leibbrandt is pushing on improving SWIFT’s security . Among his recommendations include having tighter security requirements for the software managed by customers and enhancing information sharing within users.
In our previous entry, we mentioned the importance of security as a process, mindset, and attitude. We also advise organizations to educate and train employees, especially those who have access to confidential data when it comes to cybersecurity risks.
Trend Micro protects our customers via Trend Micro Deep Discovery that detects threats targeting SWIFT systems. Endpoint solutions such as Trend Micro™ Smart Protection Suites, and Trend Micro Worry-Free™ Business Security can aid small to medium-sized financial institutions in detecting this threat and all related malicious files on their network.
Indicators of compromise
The presence of the following files connotes TSPY_TOXIFBNKR.A infection:
- Foxit Reader.exe (Note that the legitimate Foxit Reader uses this filename: FoxitReader.exe)
Here’s the related SHA1 hashes used in the attack against Vietnamese bank:
Hat tip to Sergei Shevchenko and Adrian Nish of BAE Systems, who provided a more technical analysis of this malware.
Analysis by Janus Agcaoili