We analyzed a new RATANKBA variant (BKDR_RATANKBA.ZAEL-A) that uses a PowerShell script instead of its more traditional PE executable form. In this entry, we provide in-depth analysis of the malware, as well as a detailed examination of its remote controller.Read More
In early February, several financial organizations reported malware infection on their workstations, apparently coming from legitimate websites. The attacks turned out to be part of a large-scale campaign to compromise trusted websites in order to infect the systems of targeted enterprises across various industries. The strategy is typically known as a “watering hole” attack.
It was all sparked by a spate of recent malware attacks on Polish banks entailing a reportedly unknown malware in their own terminals and servers, along with the presence of dubious, encrypted programs/executables, and more prominently, suspicious network activity. More malware are delivered to the affected systems which were seen connecting to unusual and far-flung locations worldwide, possibly where company data are exfiltrated to.
The malware in question: RATANKBA. Not only was it tied to malware attacks against banks in Poland, but also in a string of similar incidents involving financial institutions in Mexico, Uruguay, the United Kingdom, and Chile. How did it infect their victims? Were there other malware involved? Does the campaign really have ties with a Russian cybercriminal group?Read More