Upgrade Magazine


Financial malware more than twice as prevalent as ransomware – Symantec

Three Trojans dominated the financial threat landscape in 2016 and attackers increased their focus on corporate finance departments.

Symantec has stressed that even with all the attention ransomware is getting, it’s still easy to overlook other threats, such as those that target the financial sector and its customers. For the company, these types of threats are “a serious and costly problem for both businesses and consumers.”

Symantec has stressed that even with all the attention ransomware is getting, it’s still easy to overlook other threats, such as those that target the financial sector and its customers. For the company, these types of threats are “a serious and costly problem for both businesses and consumers.”

With over 1.2 million annual detections, the financial threat space is 2.5 times bigger than that of ransomware. For instance, the financial Trojan Ramnit (W32.Ramnit) whose total number of detections for 2016 approximately equaled all ransomware detections combined.

There has already been a 36% decrease in global detection numbers for financial malware in 2016, and this can be mainly attributed to earlier blocking in the attack chain and a switch to more focused attacks. But for Symantec, “financial threats are still profitable and therefore continue to be popular among cyber criminals.”

According to the company, three malware families ruled the financial threat space in 2016: Ramnit, Bebloh (Trojan.Bebloh), and Zeus (Trojan.Zbot), together responsible for 86% of all global detection counts.

The most notable spike was in the second half of 2016 when Trojan.Bebloh and Trojan.Snifula both began heavily focusing on 20 banks in Japan. Both threats were spread through spam emails with double extension attachments masquerading as scanned documents—earlier variants used web exploit toolkits. It is unclear why the two threats both started targeting banks in Japan at the same time; however, they seem to share a common resource for dynamic web injects, allowing attackers to manipulate web traffic on the fly.

After the dismantling of the Avalanche malware-hosting network at the end of 2016, which was used by Bebloh, There was a sharp drop in Bebloh activity. After the arrest of the alleged author behind Trojan.Snifula in January 2017, Symantec claimed it saw a drop in detections of Snifula as well. Both of these events led to a decrease in detection numbers: Bebloh dropped by 66 percent from December 2016 to March 2017, and Snifula numbers dropped by 83 percent in the same time frame. Now these threats appear to have almost vanished.

Globally, financial institutions in the US were targeted the most by the samples analyzed by Symantec, followed by Poland and Japan. However, there are more threats hiding the configuration file from researchers, making it more difficult to generate statistics. For example, a BlackMoon (Infostealer.Boyapki.E) variant only stores the SHA1 hash of the URL, making it difficult to find out all monitored URLs.

Another observed trend is the move to redirection attacks instead of local injects. This involves the whole page being redirected to a remote site, with the traffic replacement and defrauding happening on a remote server. Symantec claimed it also noticed an increase in old-school DNS redirection attacks.

The attackers are also interested in learning more about their victims. The Dridex downloader (W32.Cridex), for example, now checks the installed software list for financial software packages. If anything interesting is found, like an offline payment tool, then the computer will be accessed manually through a remote access tool such as a hidden virtual network computing (VNC) server. The attacker will then study the compromised computer and learn what software is used and work out possible ways to carry out fraudulent transactions.

Other threats will wait until the end of the month, when many businesses make bulk transactions, and add their own fraudulent transaction or modify existing ones. This behavior is increasing as it clearly pays off.

On average, 38 percent of the financial threats were detected in business locations over the course of 2016. Most of these infection attempts are not targeted and are due to widespread email campaigns. However, as noted earlier, some of the compromised computers may be flagged by the attackers as interesting and receive special manual treatment from them.

The attackers’ ultimate goal is to generate larger profits. This has led to more attacks against banks and financial institutions themselves instead of their retail customers. This trend peaked in 2016 with multiple widely discussed high-value heists against institutions connected to the SWIFT network, resulting in the loss of millions of dollars to cybercrime groups and nation-state supported attackers such as the Lazarus group.

As long as it remains profitable, Symantec said that it expects financial threats to continue being a problem for banking customers in the future, though “attackers will also likely increase their focus on corporate finance departments.”

As IT protection measures improve, the company expects attackers to increase their reliance on social engineering. Cyber criminals behind financial threats will also start focusing on other geographical locations, which may not be as well protected from financial threats as current targeted regions.

Symantec has a strategy that protects against malware, including financial threats, in three stages:

Prevent: Block the incursion or infection and prevent the damage from occurring

Contain: Limit the spread of an attack in the event of a successful infection

Respond: Have an incident response process, learn from the attack, and improve defenses

In addition, users should adhere to the following advice to reduce the risk of cyber attacks:

  • Exercise caution when conducting online banking sessions, in particular if the behavior or appearance of your bank’s website changes
  • Notify your financial institution of any strange behavior while using their services
  • Exercise caution when receiving unsolicited, unexpected, or suspicious emails
  • Keep security software and operating systems up to date
  • Enable advanced account security features, like 2FA and login notification, if available
  • Use strong passwords for all your accounts
  • Always log out of your session when done
  • Monitor bank statements regularly
  • Be wary of Microsoft Office attachments that prompt users to enable macros
To Top