Thursday, July 21, 2022

Threat-landscape of Financial attacks

Financial institutions have been a traditional target for all kinds of attacks. We wanted to understand what kind of malware families have been used against them in recent cases and track their evolution. It is not easy, though, having details on artifacts used in such attacks. 

Our approach was cross-checking OSINT data related to attacks targeting financial institutions with VirusTotal intelligence to shed some light on how these threats are evolving during 2022. We want to share some of the most interesting findings as well as providing some ideas on how you can use VirusTotal to track these attacks by yourself. 

You can also check our recorded webinar here


Top malware families

Starting from the collection of OSINT-obtained malware families used in attacks against financial institutions, we checked every family’s prevalence in VirusTotal based on the number of submissions in 2022. Submissions are an interesting metric to understand how spread a malware family is:

It is worth noting that some of these “malware families” might be legitimate artifacts used by attackers, typically for lateral movement as part of their TTPs or preferred toolset.

Indeed, Remcos (also known as RemcosRAT) is a commercial product offered as a legitimate Remote Control utility which has been part of  attackers’ toolsets since (at least) 2017. Some other top 15 malware families are deployed as part of the Golden Chicken malware as a service (MaaS): TerraRecon, Terra Loader, Terra Preter, TerraStealer, TerraTV and more_eggs. These have been used by multiple threat actors, mainly in targeted attacks against the financial sector. However, this can also be biased based on the OSINT publications used for this analysis. 

Back to RemcosRAT, it can be frequently seen deployed in combination with an exploit [1,2,3]. To monitor fresh RemcosRAT samples linked with exploits, you can use the following query in VirusTotal Intelligence:

When presented with a collection of samples after a search like the previous one, it is interesting to use the Commonalities Tool to find how many of these samples share characteristics such as vhash, contacted urls, domains and ip addresses. They also drop similar files and all samples use only 4 different compilation timestamps. Most likely, all of them are either part of the same campaign or part of a toolset/infrastructure heavily reused in different attacks.  

Another idea is selecting the samples we are interested in and displaying them in VT Graph, which helps visualizing relationships, filtering them out and selecting additional IOCs.

In this example let’s say we are only interested in malicious domains, URLs and IP addresses contacted by these samples, which we can filter out using the right panel.

To obtain the list of IOCs we can right click and select "Download nodes''. 

Adversaries and exploits

Based on the OSINT events we used for this research, we analyzed the number of lookups per adversary, with Lazarus group leading this ranking as (allegedly) responsible for 6 of the top top10 most searched financial-related malware families in 2022.

In terms of most frequently abused vulnerabilities, top five were published last year and are used for escalation of privileges, authentication bypassing and remote code execution: CVE-2021-41379, CVE-2021-28799, CVE-2021-40539, CVE-2021-44077 and CVE-2021-22941.

Actually, we could easily monitor fresh samples submitted to VirusTotal exploiting these vulnerabilities like this:

(tag:CVE-2021-41379 or tag:CVE-2021-28799 or tag:CVE-2021-40539 or tag:CVE-2021-44077 or tag:CVE-2021-22941) fs:2022-01-01+


Collections

Collections is a recently added feature in VirusTotal that can be really useful to monitor malware used in financial attacks. 

For instance, we can search for collections containing the "banker" string by using the following search query in VirusTotal Intelligence:
entity:collection banker

There are some search modifiers that can be used to list only files, urls, ip addresses or domains found in a collection: 
entity:file collection:threatfox_win_dridex
entity:url collection:threatfox_win_dridex
entity:ip collection:threatfox_win_dridex
entity:domain collection:threatfox_win_dridex

If we want to filter out based on who created the collection, we can use the "owner" search modifier:
entity:collection banker owner:Malpedia

Collections can also include targeted industries, which can be also specified in our query:
entity:collection targeted_industry:financial

Antivirus verdicts

Previously in this research we used IOCs known to have been used in attacks against financial institutions. From there we can find verdicts for the most used families and get additional samples. 

However it is also interesting to search for generic verdicts generally related to financial attacks. One example would be searching for the "banker" string, traditionally used by the AntiVirus industry to label malware involved in financial fraud, usually against banks’ customers. 

In this scenario we found that 59% of these “banking” samples also contained the string "ransom" in at least two distinct antivirus verdicts. During the two first months of 2022 we observed an increase in the number of lookups for “banking” samples. 

When checking top domains used for distributing “banking” samples in-the-wild during 2022, we find “discord” at the top of the list. The abuse of discord for malware distribution is something we already saw in our “2021 Malware Trends Report”. 

Regarding the use of exploits, it is easy to monitor “banker” malware exploiting recent vulnerabilities with a query as follows (note we exclude formats typically used to upload malware batches to VirusTotal):
engines:banker tag:cve-202* and not (type:zip or type:rar or type:7zip)

If we want to continuously monitor this activity, we can very easily translate this query into a Livehunt rule. This way we will get a notification for every new file uploaded to Virustotal that matches our search criteria:

import "vt"
rule banking_exploits {
meta:
author = "VirusTotal"
description = "This is a livehunt rule to continuously monitor banking samples implementing any exploit, excluding file formats used to VT batch uploads"
creation_date = "June 2022"
condition:
vt.metadata.new_file and
        for any engine, signature in vt.metadata.signatures : ( 
signature contains "banker" 
  ) 
  and
        for any tag in vt.metadata.tags : (
tag contains "cve-202" 
 ) 
 and 
        not (vt.metadata.file_type == vt.FileType.ZIP or
      vt.metadata.file_type == vt.FileType.RAR or
      vt.metadata.file_type == vt.FileType.SEVENZIP)
}

Conclusions

Defining financial threats is a complicated task, especially when many targeted attacks and actors consistently share TTPs and toolsets. The use of OSINT is a starting point to identify some malware families uniquely being used in these attacks, as well as double checking which additional generic tools are commonly seen for lateral movement.

The good news is that we can monitor all of the above to understand how attackers’ toolsets evolve and be ready for them. The fact that many attackers repeat and reuse the same malware families should also be an advantage in readiness. Finally, keeping an eye both on exploits being used and infrastructure for malware distribution is definitely something useful to avoid infection and malware distribution.

We hope the queries and examples provided in this post will help you monitor suspicious activity and understand how attackers evolve. As always, we are happy to hear from you additional ideas we can share with the community to detect and protect against cyberthreats.

Happy hunting !