Financial institutions and banks in 31 countries have been the victim of a large-scale malware attack campaign initiated in the last few months. Learn more about the dangers in our article.
The Banks Are Once Again Malware Targets
Another large malware campaign has been detected. This time an unknown hacker collective has used a malware to target financial institutions such as banks globally, having attacked such establishments in 31 countries to date. The wave has been active since at least October 2016 and it uses compromised sites which deliver a first-stage virus to the victims. The discovery was made after a Polish bank discovered running viruses on some of its computers. The company shared the incident with other establishments and this led to the discovery that it was a global threat. Based on the ongoing analysis we have obtained information about the way the virus infects its predefined targets.
Further Information About The Malware Threat
The available information shows that the infection strategy follows this tactic:
The computer hackers create malicious sites or hack existing ones which include the dangerous malware payloads. A custom exploit kit is being operated by the malicious collective.
The target institutions are led to the malicious sites via email spam messages, malicious ads or other means. The sites are configured in such a way to only infect visitors coming in from 150 different predefined IP addresses.
The malware in question is called Ratankba and it is a Trojan which can deliver additional malicious payloads.
Upon infection the Trojan copies itself to the following location:
%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup\Winslui.exe.
The virus is then launched which gathers important information from the host computer including its name, operating system, list of running and installed programs and then reports it to the criminal C&C servers. The malware can download other malicious threats such as ransomware and cause sabotage or institute remote access which can be used to spy on the victims or harvest sensitive information from the hard drives.
Generic signatures were used to identify the custom exploit kit as it featured some of the standard behavior patterns used by other similar software. The security analysis is still ongoing and at this time the researchers state that the code is similar to some of the apps that are used by the hacker collective known as Lazarus.
The security investigation is ongoing and we will report if the dangerous attacks continue further.