Wednesday, 27 September 2017

SWIFT MT103 themed Malicious mail


The  Society for Worldwide Interbank Financial Telecommunication (SWIFT)
has been the subject of recent high profile data breaches involving stolen credentials, the placement of malware and the successful pilfering of millions of dollars most notably from Bangladesh bank. Today a SWIFT themed malicious email turned up in a trap email account  

 Subject: SWIFT MT103

 Please confirm our SWIFT MT103 for the previously concluded transaction, and notify us in case of any alteration in account. Also find our enquiry details for new orders as attached file 'doc1106337'. Inform us if you are able to supply the requested quantity or not. If you need any further information please do not hesitate to contact us.

 Best Regards
Tian Wang

The MT103 is a SWIFT payment message type/format used for cash transfer specifically for cross border/international wire transfer.
In the email there is a zip attachment that contains two executables.
When detonated and analysed they show very clear malicious behaviours of keyloggers.

 1106337.exe SHA256 ed93b5c920412519efeece5a510326938fd66d3939ce87aa455fc32d305545f1
Swift_mt103a.exe SHA256 0d2fa70538853d25ded5d86dd6c5de7f6d6f14ae1de41817703a79eccc984e2c


and their Virustotal results.



https://www.virustotal.com/#/file/0d2fa70538853d25ded5d86dd6c5de7f6d6f14ae1de41817703a79eccc984e2c/detection
and
https://www.virustotal.com/#/file/ed93b5c920412519efeece5a510326938fd66d3939ce87aa455fc32d305545f1/details

 The file Swift_mt103a.exe callsback to a .in domain that provides webhosting services.
Containing a well known user-agent string, that was a focus of attention in a Mcafee report last year where they identified ISR stealer being used for industrial espionage, looking for the hard coded user agent string for authentication purposes "HardCore Software For : Public"

 https://securityintelligence.com/news/industrial-espionage-actors-now-serving-up-server-attacks/
There were interesting stack strings in the ISR Stealer binary referencing the National Association of Manufacturers of Spain

 >Barcelona (see current address at https://www.anf.es/address/)1(0&
https://www.anf.es/AC/ANFServerCA.crl0+
https://www.anf.es/AC/ACTAS/789230



Of course the real challenge this raises is the successful and correct mitigation of threats given 
generic threat descriptions, if you didn´t know all of the password stores these type of threats
exfiltrated, how many of us would simply re-image, and not force password changes.?



at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Revoke Revolting Revolut

 The disturbing fraud investigation practises at Revolut.