Symantec on Tuesday reported on a malware campaign that has targeted financial organizations worldwide for the past 10 months. Dubbed “Trojan.Odinaff,” it has infiltrated the banking, securities, trading and payroll sectors, as well as organizations that provide them with support services.
Odinaff is used in the first stage of an attack, to get a foothold into a network. It provides a persistent presence, and lets users install additional tools onto the target network, Symantec explained.
Those additional tools appear to be the same ones used by Carbanak, a sophisticated attacker that has targeted the financial industry since at least 2013, the firm said. The Odinaff attacks also use some infrastructure previously used in the Carbanak campaigns.
About 100 organizations have been hit so far, said Jon DiMaggio, a senior threat intelligence analyst in Symantec’s Security Response unit.
However, “we have no insight into how much money has been taken in these attacks,” he told the E-Commerce Times.
Such attacks can be lucrative, though, DiMaggio noted, pointing to the US$81 million hackers looted from the Bangladesh Central Bank.
Targeting the SWIFT Network
There are two primary indications that Odinaff has been targeting users of the SWIFT global financial messaging system, DiMaggio said.
First, Odinaff has similarities with the second-stage malware, tools and tactics associated with previous attacks on SWIFT.
Second, SWIFT Suppressor malware components are present in Odinaff-related activity. Tiny executables written in C, they monitor the SWIFT customer’s server logs for keywords relating to certain transactions, DiMaggio said, and then move the logs out of the SWIFT software environment. The text strings monitored include references to dates and specific International Bank Account Numbers.
Each executable appears to be clearly tailored to the system it’s targeting.
“The attackers had knowledge and access to target environments that would require a deep understanding of banking applications and security measures put in place to safeguard those applications,” DiMaggio pointed out.
Waves of Attacks
Proofpoint saw Odinaff attacks on its customers in May and July, said Sherrod DeGrippo, director of emerging threats.
There was “a small email campaign targeting various verticals — not just financial,” this summer, she said. “There have been additional campaigns since.”
The people behind Odinaff are “a sophisticated criminal group,” DeGrippo told the E-Commerce Times. “They choose their targets carefully — they have custom tools.”
There are three methods of attack, Symantec noted: lure documents containing a malicious macro, possibly spread through phishing; the use of password-protected RAR archives, with the attack vector possibly spearphishing; and distribution through botnets to computers infected with other malware, such as Andromeda and Snifula.
The attackers use an assortment of lightweight hacking tools along with legitimate software tools, including the following:
- Mimikatz, an open source password recovery tool;
- PsExec, a procession execution tool from SysInternals;
- Netscan, a network scanning tool;
- Runas, a tool for running processes as another user;
- Powershell; and
- Ammyy Admin and variants on the Remote Manipulator System.
Ammyy Admin is free remote desktop access software; its website has been hacked repeatedly to spread malware, Symantec said.
“The website should be hardened, and there’s no reason for it to be compromised this many times unless security wasn’t a priority for the site owner or administrator,” DiMaggio noted. “We would strongly recommend using extreme caution when visiting it … to ensure the site and any downloads from its infrastructure are clean.”
“The threat landscape for the financial industry has changed, and we’re now seeing more advanced cybercrime campaigns,” DiMaggio observed.
SWIFT has called for tighter antifraud controls and closer cooperation among its 11,000 members, according to KPMG.
Thieves don’t have to attack SWIFT’s core systems to exploit weaknesses in the systems that use its network, the firm noted. The network handled more than 6 billion messages in 2015 — nearly 17 million daily — and its 11,000 members have millions of current and former employees, making it difficult to thwart a determined hacker.