A second group of hackers are attempting to rob banks by targeting SWIFT users deploying the same methods that led to the Bangladesh Bank hacking heist, according to researchers at Symantec. The tools used are linked to the Odinaff group, which since the beginning of the year, has targeted financial institutions worldwide.
In their blog, Symantec details evidence that a separate hacking group is targeting SWIFT, a payment network banks use to transfer funds. The hackers are using malicious tools to monitor SWIFT messages sent to infected computers for bank account numbers or other keywords relating to specific transactions. When a message that contains a targeted text string is intercepted, the hackers use a "suppressor" component to drive it out of the local file system to prevent it from being seen or recovered by the intended recipient.
According to Symantec, in order to perform this kind of tracking, the hackers are making use of a back door Trojan called Odinaff which connects to a remote host and can download RC4 encrypted files and execute them. Along with that, they are using a range of lightweight hacking tools and legitimate software like:
- Mimikatz, an open source password recovery tool
- PsExec, a process execution tool from SysInternals
- Netscan, a network scanning tool
- Ammyy Admin (Remacc.Ammyy) and Remote Manipulator System variants (Backdoor.Gussdoor)
- Runas, a tool for running processes as another user.
It is unclear if these attacks have been successful in extracting any money at all. The targets of this sort of scanning are mostly banks and other financial institutions where the malware is spread through phishing emails.
"This is a shift from previous attacks that have been more focused on stealing from banking customers. After the success of the first SWIFT hack, it's unsurprising to see the headlines doing the rounds again and I'd be shocked if this is the last we see of it, " Kevin Bocek, chief cybersecurity strategist at Venafi, told The Register.