An ongoing targeted attack campaign against financial institutions demonstrates how older and well-trodden hacking methods still remain effective.
Since August, a group of attackers have used Java-based remote access Trojans, phishing emails, and zip-compressed files - and hosted their malware on popular cloud services - to target employees at banks and other financial institutions, according to a report released this week by Menlo Security.
The attackers write their initial infectors in Java and Visual Basic, and customize versions of popular malware frameworks to steal account information, the company says.
"A lot of these attacks are stealing credit card information, they also steal accounts and steal money directly from the accounts," says Vinay Pidathala, director of research at Menlo Security, a Web security firm. "They can inject code directly into the pages to infect account holders, and they can put a keylogger, along with taking screenshots."
That these older tactics work should not be a surprise. Attackers still use these techniques because they work. In 2017, for example, 93% of breaches had a phishing e-mail component, according to the 2018 Verizon Data Breach Investigations Report (DBIR). While only 4% of recipients clicked the malicious link in a phishing e-mail on average, only a single person needs to let in the attacker.
Menlo Security found in its research that 4,600 phishing sites use legitimate hosting services. In the latest campaign, the attackers used storage.googleapis.com to host their malicious payload.
"Attackers are increasingly using popular domains to host their attacks," Pidathala says. "It's an easy way around being blocked by security software, because these sites are on a known good list."
Rise of the jRATs
Another common technique is using Adobe Flash or Oracle's Java as an initial infector. While personal computers have tried to move away from these ubiquitous runtime agents, for malware writers the write-once-run-anywhere technology allows a single file can run on Mac systems as well as Windows.
The capability has resulted in consistent efforts to infect systems using malware written in those languages. More than a year ago, security firms warned that Java-based remote access trojans, or jRATs, were targeting business users using attachments that appeared to be communications from the Internal Revenue Service (IRS) or a purchase order, according to an April 2017 analysis by security firm Zscaler.
"The jRAT payload is capable of receiving commands from a C&C server, downloading and executing arbitrary payloads on the victim's machine," writes Zscaler security researcher Sameer Pail. "It also has the ability to spy on the victim by silently activating the camera and taking pictures."
Java-based RATs allow attackers to initiate an attack and download specific executables, depending on the operating system encountered. As Macs become an increasing part of the corporate world, such flexibility is key, experts say.
"More and more enterprises are using Macs, and with one JAR file you can design an attack that can infect both platforms," says Menlo Security's Pidathala. "Java is still installed on a significant number of computers around the world."
Old But Modified RATs
The attackers also used well-known remote access Trojans: Houdini and qRAT. Both are modular, so attackers are able to customize their payloads and add capabilities through a modular architecture.
Menlo Security's Pidathala argues that such RATs are more useful than automated botnets because attackers can easily tailor their attack to attempt to bypass the victim's defenses.
"It is a RAT, so it is very flexible because it is modular—it can do lateral movement, or it can do reconnaissance, just by updating its modules," he says. "Going forward, the concept of botnets, meaning malware that has automated functionality to steal specific things, will die down in favor of more malware that can be customized to the attackers' needs."