This is a security alert for all TruShield clients, the financial services industry, and the community at large. We have learned of a wave of recent threats targeting the financial services industry. This variety of threats, poised to strike banks and financial institutions, currently includes: additions and alterations to existing malware families, a new banking Trojan, and a group of cyber criminals.
An Expected Trend
As anticipated by experts at TruShield, a rapid increase in threats to the financial services sector is under way with increasing ferocity. Recent developments in the second half of April have unveiled some of the latest salvos aimed particularly at North American, European, and Australian organizations in this sector, as well as organizations used globally for financial operations. First, this has included variants and alterations of known malware families. One such example is Multigrain, a variant of NewPos Things, discovered by researchers at FireEye. An additional example is the GozNym Trojan identified by researchers at IBM, which quickly shifted tactics and added a targeted region. Second, Proofpoint and Fox IT InTELL have produced findings on a new banking Trojan known as “Panda Banker”. Third, the cyber-criminal group FIN6 was discovered by FireEye. Each of these discoveries, along with a recent announcement by SWIFT has yielded important information for entities in the financial services industry to adjust their security posture.
As for each of the previously mentioned threats, each threat has some noteworthy details.
Panda Banker is being widely distributed by both targeted email and three major exploit kits. It emulates many previously discovered banking Trojans with one infection path involving a macro document and intermediate loader, but also collects a broader range of system information than some previous threats and can make automated online banking actions, like wire transfers. A large portion of Panda Banker is based on Zeus. Finally, FIN6 is a prime example of multiple malware, tools, credentials, and tactics used in conjunction by a malicious actor. The first stage of this APT’s operation is likely use of the Grabnew malware or stolen credentials produced by this malware family. These credentials are used for the second stage of movement within a victim’s network in order to access more sought after systems. This movement mainly involves use of commonly available tools and exploits in order to establish remote sessions disguised by SSH and thereby plant Trinity or FrameworkPOS malware on POS systems. Lastly, the criminals exfiltrate the payment data by a means such as ZIP files sent via FTP or public file sharing services and later is sold via the dark web.
Each of these threats provides another snapshot of current malicious tactics employed against the financial services industry. The best visibility is provided by the research on FIN6 which moves beyond a single piece of malware and provides a start to finish process of cyber-criminal activity. This exploration of the multiple stages involved in an attack also presents critical points to utilize security controls and the clear consequences when the proper steps are not taken. Information released regarding compromise of the SWIFT global network is also a cautionary tale about how too much reliance on a system can create a single point of failure, and any financial institution using this network should update the access software as soon as possible.
Indicators of Compromise
|MD5 Hash (Multigrain)|
|SHA 256 (Panda Banker)|
|C&C Sites and IPs (Panda Banker)|
Mitigation and Prevention
- Do not open unsolicited email or attachments.
- Monitor for Active Directory, registry, or file changes.
- Use updated antimalware and antivirus, especially with real-time protection.
- Continuously monitor network traffic for C&C activity, including DNS queries.
- Keep systems and applications patched with current updates.
- Isolate infected systems and consider a full system wipe.
- Monitor processes for alteration or injection attempts.
- Use application control software with a base deny policy.
- Compare files with known IOCs.