Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

12/19/2018
03:55 PM
50%
50%

Attack Campaign Targets Financial Firms Via Old But Reliable Tricks

Among other tried-and-true cyberattack methods, the attackers hosted malware on the Google Cloud Storage service domain storage.googleapis.com to mask their activity.

An ongoing targeted attack campaign against financial institutions demonstrates how older and well-trodden hacking methods still remain effective. 

Since August, a group of attackers have used Java-based remote access Trojans, phishing emails, and zip-compressed files - and hosted their malware on popular cloud services - to target employees at banks and other financial institutions, according to a report released this week by Menlo Security.

The attackers write their initial infectors in Java and Visual Basic, and customize versions of popular malware frameworks to steal account information, the company says.

"A lot of these attacks are stealing credit card information, they also steal accounts and steal money directly from the accounts," says Vinay Pidathala, director of research at Menlo Security, a Web security firm. "They can inject code directly into the pages to infect account holders, and they can put a keylogger, along with taking screenshots."

That these older tactics work should not be a surprise. Attackers still use these techniques because they work. In 2017, for example, 93% of breaches had a phishing e-mail component, according to the 2018 Verizon Data Breach Investigations Report (DBIR). While only 4% of recipients clicked the malicious link in a phishing e-mail on average, only a single person needs to let in the attacker.

Menlo Security found in its research that 4,600 phishing sites use legitimate hosting services. In the latest campaign, the attackers used storage.googleapis.com to host their malicious payload.

"Attackers are increasingly using popular domains to host their attacks," Pidathala says. "It's an easy way around being blocked by security software, because these sites are on a known good list."

Rise of the jRATs 

Another common technique is using Adobe Flash or Oracle's Java as an initial infector. While personal computers have tried to move away from these ubiquitous runtime agents, for malware writers the write-once-run-anywhere technology allows a single file can run on Mac systems as well as Windows. 

The capability has resulted in consistent efforts to infect systems using malware written in those languages. More than a year ago, security firms warned that Java-based remote access trojans, or jRATs, were targeting business users using attachments that appeared to be communications from the Internal Revenue Service (IRS) or a purchase order, according to an April 2017 analysis by security firm Zscaler. 

"The jRAT payload is capable of receiving commands from a C&C server, downloading and executing arbitrary payloads on the victim's machine," writes Zscaler security researcher Sameer Pail. "It also has the ability to spy on the victim by silently activating the camera and taking pictures."

Java-based RATs allow attackers to initiate an attack and download specific executables, depending on the operating system encountered. As Macs become an increasing part of the corporate world, such flexibility is key, experts say.

"More and more enterprises are using Macs, and with one JAR file you can design an attack that can infect both platforms," says Menlo Security's Pidathala. "Java is still installed on a significant number of computers around the world."

Old But Modified RATs

The attackers also used well-known remote access Trojans: Houdini and qRAT. Both are modular, so attackers are able to customize their payloads and add capabilities through a modular architecture. 

Menlo Security's Pidathala argues that such RATs are more useful than automated botnets because attackers can easily tailor their attack to attempt to bypass the victim's defenses.  

"It is a RAT, so it is very flexible because it is modular—it can do lateral movement, or it can do reconnaissance, just by updating its modules," he says. "Going forward, the concept of botnets, meaning malware that has automated functionality to steal specific things, will die down in favor of more malware that can be customized to the attackers' needs."

Related Content:

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Is Zero Trust the Best Answer to the COVID-19 Lockdown?
Dan Blum, Cybersecurity & Risk Management Strategist,  5/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13485
PUBLISHED: 2020-05-25
The Knock Knock plugin before 1.2.8 for Craft CMS allows IP Whitelist bypass via an X-Forwarded-For HTTP header.
CVE-2020-13486
PUBLISHED: 2020-05-25
The Knock Knock plugin before 1.2.8 for Craft CMS allows malicious redirection.
CVE-2020-13482
PUBLISHED: 2020-05-25
EM-HTTP-Request 1.1.5 uses the library eventmachine in an insecure way that allows an attacker to perform a man-in-the-middle attack against users of the library. The hostname in a TLS server certificate is not verified.
CVE-2020-13458
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There are CSRF issues with the log-clear controller action.
CVE-2020-13459
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There is stored XSS in the Bulk Resize action.