Bankshot Trojan Targets Turkish Financial SectorAttack Campaign Exploits Flash Flaw, Likely Extends to Other Countries, McAfee Warns
A zero-day flaw in Adobe Flash, recently patched, has been targeted by attackers as part of an apparent attempt to hack into financial services firms in Turkey and beyond, security firm McAfee warns.
"We have found what may be an early data-gathering stage for future possible heists from financial organizations in Turkey - and possibly other countries," McAfee malware researcher Ryan Sherstobitoff writes in a Thursday blog post. "In this campaign, we see the adoption of a recent zero-day Adobe Flash vulnerability to get the implant onto the victim's systems."
The malware seen in the attacks is called Bankshot, aka Trojan Manuscript, and has been seen in previous attacks that appear to tie to a group of hackers referred to as Hidden Cobra, Lazarus Group, Reaper and Group 123 that may be linked to the government of North Korea.
The Flash flaw targeted by the malware, designated CVE-2018-4878, was the subject of a Jan. 31 alert from South Korea's Korea Internet & Security Agency, which warned that the flaw was being exploited in the wild.
On Feb. 1, Adobe confirmed that the flaw, a use-after-free vulnerability, existed in Flash Player 18.104.22.168 and earlier and could be exploited to take remote control of a Windows, Macintosh, Linux or Chrome OS system. Adobe released a patch for the problem in the form of a Feb. 6 Flash update (see Flash Hack: Adobe Updates Plug-in After Zero-Day Attacks).
Targeted: Unpatched Flash
But in an attack campaign that appears to have been launched later that month, attackers were still attempting to target the flaw. "The campaign has a high chance of success against victims who have an unpatched version of Flash. Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal," Sherstobitoff says, noting that McAfee first discovered this attack on Feb. 28.
Raj Samani, chief scientist at McAfee, says the Turkish targets appear to be part of a broader campaign designed to give hackers access to financial services firms' systems in multiple countries.
"While we can't definitively establish motivations, it's likely these attacks are part of an ongoing effort on the part of the attackers to compromise major financial institutions, surveil their operations, establish functions of their processes and ultimately compromise funds," Samani tells Information Security Media Group.
"We have found what may be an early data-gathering stage for future possible heists from financial organizations in Turkey. In this campaign, we see the adoption of a recent zero-day Adobe Flash vulnerability to get the implant onto the victim's systems" https://t.co/fFvk7Ddouw— Raj Samani (@Raj_Samani) March 9, 2018
"There are early indications which suggest other financial organizations outside of Turkey have been targeted as well," Samani says. "McAfee is still investigating and will share updates as available."
In a clue as to the potentially widespread nature of this attack campaign, McAfee says it's also found two more documents, written in Korean, that exploit the same vulnerability and communicate with falcancoin.io to download and install Bankshot. These documents appear to be part of the same campaign, the security firm says.
DHS Alert: Hidden Cobra
The Bankshot collection of malware was the focus of a "Hidden Cobra - North Korean Malicious Cyber Activity" security alert issued by the U.S. Department of Homeland Security on Dec. 13, 2017. It analyzes seven Bankshot malware variants.
"Working with U.S. government partners, DHS and FBI identified Trojan malware variants used by the North Korean government - referred to by the U.S. government as Bankshot. The U.S. government refers to malicious cyber activity by the North Korean government as Hidden Cobra," the alert reads. "FBI has high confidence that Hidden Cobra actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation."
In November, DHS warned that Hidden Cobra was targeting the financial services, aerospace and telecommunications sectors (see US-CERT: North Korean Hackers Targeting Three Sectors).
McAfee says Bankshot is a remote access Trojan, or RAT, that can also be used to wipe files and systems, which could be used to hide evidence of the attack or simply to cause destruction.
"FBI has high confidence that Hidden Cobra actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation."
McAfee says the version of Bankshot it recovered from a Feb. 28 attack shares 99 percent of its code with Bankshot variants seen in 2017. "Based on the code similarity, the victim's business sector, and the presence of control server strings, this attack resembles previous attacks by Hidden Cobra conducted against the global financial network SWIFT," Sherstobitoff says.
Bankshot: Attack Techniques
The latest version of the Bankshot implant was "attached to a malicious Word document with the filename Agreement.docx" which "appears to be an agreement template for bitcoin distribution between an unknown individual in Paris and a to-be-determined cryptocurrency exchange," Sherstobitoff says. The document was created on Feb. 26 and submitted from the Netherlands. "The document contains an embedded Flash script that exploits CVE-2018-4878 and downloads and executes the DLL implant from falcancoin.io."
Sherstobitoff says the domain name appears to be an attempt to look like Falcon Coin, a cryptocurrency-lending platform. He adds that the legitimate platform is not associated with falancoin.io, which was first registered on Dec. 27, 2017, and most recently updated on Feb. 19, just a few days before the attack campaign appears to have begun.
Lazarus Group Hits Continue
The Lazarus Group has been tied to numerous bank heists, including the 2016 theft of $81 million from the central bank of Bangladesh's account at the Federal Reserve Bank of New York, perpetrated via fraudulent SWIFT interbank money-moving messages. More recently, it's been tied to last year's WannaCry outbreak (see British Security Services Tie North Korea to WannaCry).
In recent months, security experts say the group has retooled to target cryptocurrency exchanges and aficionados (see Cryptocurrency Theft: Hackers Repurpose Old Tricks).