In September 2017, Kaspersky Labs discovered a new trojan that targets financial institutions, mostly in Russia, but the trojan has also been found in organizations in Malaysia and Armenia. Attackers used a known, but still effective technique to raid the banks:
- Gain persistent access to the bank’s internal networks for a long time
- Make recordings of day to day activities on bank employee’s infected machines
- Learn all they can about the how things work in the bank
- Find out what software is being used
- Wait for the appropriate time and launch a campaign to steal as much as they can
This technique has been before by Kaspersky in a trojan called Carbanak back in 2014, where malware was said to have been introduced into the banks by a spear-phishing campaign. Phishing is where attackers send out hundreds of thousands of copies of a specially crafted email, hoping someone will click on the link or malware embedded in it and fall for the attack – much like a fisherman casting a net and hoping to catch some fish. Spear-phishing follows similar parallels in where specially crafted emails are sent to victims in a highly targeted attack.
Once in, attackers gained knowledge of the inner workings of the bank they were able to steal money in a variety of ways:
- Forcing ATMs to dispense cash without transactions
- Altering account balances and stealing the difference
This technique has also been used several times since.
In the case of “Silence”, attackers with persistent access to the Bank’s internal networks are using the email addresses of real employees to send out spear-phishing attacks. This makes the mail look extremely authentic.
When the campaign is launched, the attackers send spear-phishing emails to victims containing an attachment that looks like a Windows help document. Once the attachment is opened, it automatically executes an embedded web page. This file contains code which is designed to download and execute another stage from a specific server on the Internet. This in turn downloads another script that installs the final malware application. This application serves as a framework. It contacts a command and control server, sends a unique identification code so that it can be contacted and monitored in the future and downloads modules to execute. The modules that are downloaded are registered as windows services and used to perform tasks such as screen recording and data uploading. There is also a module that creates a backdoor to the infected PC allowing attackers to install other malicious modules manually using standard built-in Windows commands.
Spear-phishing is still a very popular way to infect end-user PCs, whether at home or at work. There is a delay between when a new trojan is let loose on the Internet – and when samples are delivered to anti-virus vendors and detection and remediation is put in place. This results in infections.
A method to diminish the infection rate is to train users to identify suspicious emails and avoid clicking on attachments contained within them.
The Human firewall still remains one of the most under-developed firewalls in a company’s cybersecurity defence, and therefore an important market-focus for our business.