Financial institutions have been a traditional target for all kinds of attacks. We wanted to understand what kind of malware families have been used against them in recent cases and track their evolution. It is not easy, though, having details on artifacts used in such attacks.
Our approach was cross-checking OSINT data related to attacks targeting financial institutions with VirusTotal intelligence to shed some light on how these threats are evolving during 2022. We want to share some of the most interesting findings as well as providing some ideas on how you can use VirusTotal to track these attacks by yourself.
You can also check our recorded webinar here.
Top malware families
Indeed, Remcos (also known as RemcosRAT) is a commercial product offered as a legitimate Remote Control utility which has been part of attackers’ toolsets since (at least) 2017. Some other top 15 malware families are deployed as part of the Golden Chicken malware as a service (MaaS): TerraRecon, Terra Loader, Terra Preter, TerraStealer, TerraTV and more_eggs. These have been used by multiple threat actors, mainly in targeted attacks against the financial sector. However, this can also be biased based on the OSINT publications used for this analysis.
Back to RemcosRAT, it can be frequently seen deployed in combination with an exploit [1,2,3]. To monitor fresh RemcosRAT samples linked with exploits, you can use the following query in VirusTotal Intelligence:
Another idea is selecting the samples we are interested in and displaying them in VT Graph, which helps visualizing relationships, filtering them out and selecting additional IOCs.
In this example let’s say we are only interested in malicious domains, URLs and IP addresses contacted by these samples, which we can filter out using the right panel.
To obtain the list of IOCs we can right click and select "Download nodes''.
Adversaries and exploits
Based on the OSINT events we used for this research, we analyzed the number of lookups per adversary, with Lazarus group leading this ranking as (allegedly) responsible for 6 of the top top10 most searched financial-related malware families in 2022.
In terms of most frequently abused vulnerabilities, top five were published last year and are used for escalation of privileges, authentication bypassing and remote code execution: CVE-2021-41379, CVE-2021-28799, CVE-2021-40539, CVE-2021-44077 and CVE-2021-22941.
Actually, we could easily monitor fresh samples submitted to VirusTotal exploiting these vulnerabilities like this:
Collections
entity:collection banker
entity:file collection:threatfox_win_dridex
entity:url collection:threatfox_win_dridex
entity:ip collection:threatfox_win_dridex
entity:domain collection:threatfox_win_dridex
entity:collection banker owner:Malpedia
entity:collection targeted_industry:financial
Antivirus verdicts
Previously in this research we used IOCs known to have been used in attacks against financial institutions. From there we can find verdicts for the most used families and get additional samples.
However it is also interesting to search for generic verdicts generally related to financial attacks. One example would be searching for the "banker" string, traditionally used by the AntiVirus industry to label malware involved in financial fraud, usually against banks’ customers.
In this scenario we found that 59% of these “banking” samples also contained the string "ransom" in at least two distinct antivirus verdicts. During the two first months of 2022 we observed an increase in the number of lookups for “banking” samples.
When checking top domains used for distributing “banking” samples in-the-wild during 2022, we find “discord” at the top of the list. The abuse of discord for malware distribution is something we already saw in our “2021 Malware Trends Report”.
engines:banker tag:cve-202* and not (type:zip or type:rar or type:7zip)
rule banking_exploits {
meta:
author = "VirusTotal"
description = "This is a livehunt rule to continuously monitor banking samples implementing any exploit, excluding file formats used to VT batch uploads"
creation_date = "June 2022"
condition:
vt.metadata.new_file and
for any engine, signature in vt.metadata.signatures : (
signature contains "banker"
)
and
for any tag in vt.metadata.tags : (
tag contains "cve-202"
)
and
not (vt.metadata.file_type == vt.FileType.ZIP or
vt.metadata.file_type == vt.FileType.RAR or
vt.metadata.file_type == vt.FileType.SEVENZIP)
}
Conclusions
Defining financial threats is a complicated task, especially when many targeted attacks and actors consistently share TTPs and toolsets. The use of OSINT is a starting point to identify some malware families uniquely being used in these attacks, as well as double checking which additional generic tools are commonly seen for lateral movement.
The good news is that we can monitor all of the above to understand how attackers’ toolsets evolve and be ready for them. The fact that many attackers repeat and reuse the same malware families should also be an advantage in readiness. Finally, keeping an eye both on exploits being used and infrastructure for malware distribution is definitely something useful to avoid infection and malware distribution.
We hope the queries and examples provided in this post will help you monitor suspicious activity and understand how attackers evolve. As always, we are happy to hear from you additional ideas we can share with the community to detect and protect against cyberthreats.
Happy hunting !