Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

12/19/2018
03:55 PM
50%
50%

Attack Campaign Targets Financial Firms Via Old But Reliable Tricks

Among other tried-and-true cyberattack methods, the attackers hosted malware on the Google Cloud Storage service domain storage.googleapis.com to mask their activity.

An ongoing targeted attack campaign against financial institutions demonstrates how older and well-trodden hacking methods still remain effective. 

Since August, a group of attackers have used Java-based remote access Trojans, phishing emails, and zip-compressed files - and hosted their malware on popular cloud services - to target employees at banks and other financial institutions, according to a report released this week by Menlo Security.

The attackers write their initial infectors in Java and Visual Basic, and customize versions of popular malware frameworks to steal account information, the company says.

"A lot of these attacks are stealing credit card information, they also steal accounts and steal money directly from the accounts," says Vinay Pidathala, director of research at Menlo Security, a Web security firm. "They can inject code directly into the pages to infect account holders, and they can put a keylogger, along with taking screenshots."

That these older tactics work should not be a surprise. Attackers still use these techniques because they work. In 2017, for example, 93% of breaches had a phishing e-mail component, according to the 2018 Verizon Data Breach Investigations Report (DBIR). While only 4% of recipients clicked the malicious link in a phishing e-mail on average, only a single person needs to let in the attacker.

Menlo Security found in its research that 4,600 phishing sites use legitimate hosting services. In the latest campaign, the attackers used storage.googleapis.com to host their malicious payload.

"Attackers are increasingly using popular domains to host their attacks," Pidathala says. "It's an easy way around being blocked by security software, because these sites are on a known good list."

Rise of the jRATs 

Another common technique is using Adobe Flash or Oracle's Java as an initial infector. While personal computers have tried to move away from these ubiquitous runtime agents, for malware writers the write-once-run-anywhere technology allows a single file can run on Mac systems as well as Windows. 

The capability has resulted in consistent efforts to infect systems using malware written in those languages. More than a year ago, security firms warned that Java-based remote access trojans, or jRATs, were targeting business users using attachments that appeared to be communications from the Internal Revenue Service (IRS) or a purchase order, according to an April 2017 analysis by security firm Zscaler. 

"The jRAT payload is capable of receiving commands from a C&C server, downloading and executing arbitrary payloads on the victim's machine," writes Zscaler security researcher Sameer Pail. "It also has the ability to spy on the victim by silently activating the camera and taking pictures."

Java-based RATs allow attackers to initiate an attack and download specific executables, depending on the operating system encountered. As Macs become an increasing part of the corporate world, such flexibility is key, experts say.

"More and more enterprises are using Macs, and with one JAR file you can design an attack that can infect both platforms," says Menlo Security's Pidathala. "Java is still installed on a significant number of computers around the world."

Old But Modified RATs

The attackers also used well-known remote access Trojans: Houdini and qRAT. Both are modular, so attackers are able to customize their payloads and add capabilities through a modular architecture. 

Menlo Security's Pidathala argues that such RATs are more useful than automated botnets because attackers can easily tailor their attack to attempt to bypass the victim's defenses.  

"It is a RAT, so it is very flexible because it is modular—it can do lateral movement, or it can do reconnaissance, just by updating its modules," he says. "Going forward, the concept of botnets, meaning malware that has automated functionality to steal specific things, will die down in favor of more malware that can be customized to the attackers' needs."

Related Content:

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3414
PUBLISHED: 2019-07-22
All versions up to V1.19.20.02 of ZTE OTCP product are impacted by XSS vulnerability. Due to XSS, when an attacker invokes the security management to obtain the resources of the specified operation code owned by a user, the malicious script code could be transmitted in the parameter. If the front en...
CVE-2019-10102
PUBLISHED: 2019-07-22
tcpdump.org tcpdump 4.9.2 is affected by: CWE-126: Buffer Over-read. The impact is: May expose Saved Frame Pointer, Return Address etc. on stack. The component is: line 234: "ND_PRINT((ndo, "%s", buf));", in function named "print_prefix", in "print-hncp.c". Th...
CVE-2019-10102
PUBLISHED: 2019-07-22
aubio 0.4.8 and earlier is affected by: null pointer. The impact is: crash. The component is: filterbank. The attack vector is: pass invalid arguments to new_aubio_filterbank. The fixed version is: after commit eda95c9c22b4f0b466ae94c4708765eaae6e709e.
CVE-2019-10102
PUBLISHED: 2019-07-22
aubio 0.4.8 and earlier is affected by: Buffer Overflow. The impact is: buffer overflow in strcpy. The component is: tempo. The fixed version is: after commit b1559f4c9ce2b304d8d27ffdc7128b6795ca82e5.
CVE-2019-10102
PUBLISHED: 2019-07-22
aubio 0.4.8 and earlier is affected by: null pointer. The impact is: crash (DoS). The component is: onset. The fixed version is: after commit e4e0861cffbc8d3a53dcd18f9ae85797690d67c7.