Political Wrinkles  

Go Back   Political Wrinkles > General Discussion > Tech Help, Electronics, & Gaming
Register FAQDonate PW Store PW Trivia Members List Calendar Search Today's Posts Mark Forums Read

Tech Help, Electronics, & Gaming Discuss Attacks Using New Malware on 31 Global Banks at the General Discussion; Humm banks are taking a beating... Attackers target dozens of global banks with new malware Watering hole attacks attempt to ...

Share LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 02-25-2017, 07:22 PM
mlurp's Avatar
PW Enlightenment
Join Date: Mar 2008
Location: Flatlands
Gender: Male
Posts: 35,095
Thanks: 17,386
Thanked 9,957 Times in 7,759 Posts
Default Attacks Using New Malware on 31 Global Banks

Humm banks are taking a beating...

Attackers target dozens of global banks with new malware

Watering hole attacks attempt to infect more than 100 organizations in 31 different countries.

Organizations in 31 countries have been targeted in a new wave of attacks which has been underway since at least October 2016. The attackers used compromised websites or “watering holes” to infect pre-selected targets with previously unknown malware. There has been no evidence found yet that funds have been stolen from any infected banks.

The attacks came to light when a bank in Poland discovered previously unknown malware running on a number of its computers. The bank then shared indicators of compromise (IOCs) with other institutions and a number of other institutions confirmed that they too had been compromised.

As reported, the source of the attack appears to have been the website of the Polish financial regulator. The attackers compromised the website to redirect visitors to an exploit kit which attempted to install malware on selected targets.

Symantec has blocked attempts to infect customers in Poland, Mexico and Uruguay by the same exploit kit that infected the Polish banks. Since October, 14 attacks against computers in Mexico were blocked, 11 against computers in Uruguay, and two against computers in Poland.
Custom exploit kit

The attackers appear to be using compromised websites to redirect visitors to a customized exploit kit, which is preconfigured to only infect visitors from approximately 150 different IP addresses. These IP addresses belong to 104 different organizations located in 31 different countries. The vast majority of these organizations are banks, with a small number of telecoms and internet firms also on the list.

Here is a Chart showing how many Banks in different Countries, at this site below.

Figure 1. Countries in which three or more organizations were targeted by attackers
Links to Lazarus?

The malware used in the attacks (Downloader.Ratankba) was previously unidentified, although it was detected by Symantec under generic detection signatures, which are designed to block any files seen to engage in malicious activities.

Analysis of the malware is still underway. Some code strings seen in the malware used shares commonalities with code from malware used by the threat group known as Lazarus.

Ratankba was observed contacting eye-watch[.]in for command and control (C&C) communications. Ratankba was then observed downloading a Hacktool. This Hacktool shows distinctive characteristics shared with malware previously associated with Lazarus.

434-Fig2 New Sample.png

Figure 2. Code strings seen in sample of Hacktool used in recent attacks.

Lazarus has been linked to a string of aggressive attacks since 2009, largely focused on targets in the US and South Korea. Lazarus has been involved in high level financial attacks before and some of the tools used in the Bangladesh bank heist shared code similarities with malware used in historic attacks linked to the group.

Further investigation of these attacks is underway and, over time, more evidence may emerge about the identity and motives of the attackers. After a series of high profile attacks on banks during 2016, this latest incident provides a timely reminder of the growing range of threats facing financial institutions.

Malware used in watering hole attacks on Polish banks has tentative links to #Lazarus group Click to Tweet

Symantec and Norton products protect against these attacks with the following detections:

Web Attack: SunDown Exploit Kit Website 5


The follow are indicators of compromise related to these attacks.

Command and control infrastructure

.................................................. .. Continued At ...................................
Must be Part Geek to understand this:


“When the people fear the government, there is tyranny. When the government fears the people, there is liberty.”
―Thomas Jefferson

Improvise-Adapt-Over Come.
Reply With Quote

attacks, banks, global, malware, new, using

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Forum Jump

All times are GMT -5. The time now is 04:53 AM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2017, vBulletin Solutions, Inc.

Content Relevant URLs by vBSEO 3.2.0