A previously undocumented Trojan dubbed Odinaff has been spotted attacking banks and other financial targets worldwide. Odinaff attacks include the manipulation of SWIFT logs and the extensive use of hack tools.
According to Symantec, Odinaff shares a number of links with Carbanak, which is also known for attacking banks and believed to have stolen hundreds of millions in recent years. Specifically, it’s typically deployed in the first stage of an attack, to gain a foothold onto the network, providing a persistent presence and the ability to install additional tools onto the target network. Odinaff attacks also use some infrastructure that was previously used in Carbanak campaigns.
Once Odinaff is installed, custom malware tools, purpose-built for stealthy communications (including one dubbed Batel), network discovery, credential stealing and monitoring of employee activity are deployed.
Symantec has found evidence that the Odinaff group has mounted attacks on SWIFT users, using malware to hide customers’ own records of SWIFT messages relating to fraudulent transactions. The tools used are designed to monitor customers’ local message logs for keywords relating to certain transactions. They will then move these logs out of customers’ local SWIFT software environment. We have no indication that SWIFT network was itself compromised.
“These attacks require a large amount of hands-on involvement, with methodical deployment of a range of lightweight back-doors and purpose-built tools onto computers of specific interest,” Symantec explained, in a blog. “There appears to be a heavy investment in the coordination, development, deployment and operation of these tools during the attacks.”
Attacks involving Odinaff began in January 2016. The attacks have hit banking, securities, trading and payroll sectors in a wide range of regions, with the US the most frequently targeted. It was followed by Hong Kong, Australia, the UK and Ukraine.
One of the most common methods of attack for Odinaff is through lure documents containing a malicious macro. If the recipient opts to enable macros, the macro will install the Odinaff Trojan on the computer. Another attack involves the use of password-protected RAR archives, in order to lure the victims into installing Odinaff on their computers—spear-phishing emails are the most likely method. Odinaff has also been seen to be distributed through botnets.
“The discovery of Odinaff indicates that banks are at a growing risk of attack,” Symantec noted. “Over the past number of years, cybercriminals have begun to display a deep understanding of the internal financial systems used by banks. They have learned that banks employ a diverse range of systems and have invested time in finding out how they work and how employees operate them. When coupled with the high level of technical expertise available to some groups, these groups now pose a significant threat to any organization they target.”
Photo © Aistov Alexey