Hooded Hacker
Hackers are using phony Swift emails to deploy the malicious Adwind remote access trojan and steal credentials iStock

Hackers are using malicious emails disguised as important Swift messages to spread the cross-platform remote access trojan (RAT) Adwind. According to Comodo Group's Threat Research Lab, the spam messages claim to contain important information regarding a "wire bank transfer to your designated bank account" from the Swift network, the global banking industry's payments messaging system.

The phishing email prompts users to review an attached document to check the details and make sure there are no discrepancies regarding the transfer.

The seemingly secure document, however, actually contains the Adwind malware that is capable of exfiltrating data from the infected computer, modifying the system registry and more.

Comodo researchers note that using phony Swift emails is particularly effective given that money and bank account affairs often trigger an emotional response from people. Using such lures significantly raises the possibility of recipients falling for the malicious bait and clicking through, they noted.

"When it comes to an enterprise's financial accounts, the emotions rise even more," the researchers explained in a blog post published Wednesday (21 February). "If an employee receives an email, they will be afraid to not open it. What if they pass up something very important for the enterprise? Could they be punished for not looking into that email? Consequently, the chances that a potential victim will click on the infected file grow."

Once a computer is infected, the malware modifies the system registry, spawns several processes and even checks for any antivirus software and anti-tools in an attempt to kill its processes.

"Additionally, the malware checks for the presence of forensic, monitoring or anti-adware tools, then drops these malicious executable files and makes a connection with a domain in the hidden Tor network," researchers said.

"The malware also tries to disable the Windows restore option and turns off the User Account Control feature, which prevents installing a program without the actual user being aware."

Comodo researchers believe the campaign is likely an attempt at spying or a strategic "reconnaissance" action. The threat actors behind the phishing scam are likely using this attack to spy on users, collect data from the targeted enterprise network and endpoints and "prepare for the second phase of the cyberattack" with additional malicious software.

"Having the precise information about the enterprise, these cyberattackers can even create malware specifically adjusted to the target environment to bypass all defensive mechanisms of the enterprise and hit the heart of the target," the researchers said.

The attack, which began on 9 February, appears to have been launched from IPs based in the Netherlands, Cyprus and Turkey. The hackers have also used the email address - the domain for which does not exist.

"As we see, cybercriminals more and more often use finance-related topics as a bait to make users download malware and infect an enterprise's network," Fatih Orhan, head of Comodo Threat Research Lab head Fatih Orhan said. "They combine technical and human patterns as an explosive combination for breaking down the door to let the malware in."