Do you use SWIFT financial messaging services? Millions of people around the world do. This system connects more than 11,000 banking and security organizations, market infrastructures and corporate customers in more than 200 countries and territories. Cybercriminals are using it too, but in special, devious ways. Recently, experts from Comodo Threat Research Lab discovered this new sophisticated attack, where the perpetrators used SWIFT to camouflage the malware penetration into multiple enterprises’ networks.
This email was dropped in the enterprises’ inboxes:
As you can see, it informs the recipient about a SWIFT message on a “wire bank transfer to your designated bank account” and recommends getting the details from the attachment.
In reality, as Comodo Threat Research Lab analysts discovered, “swift message” is nothing but malware — Trojan.JAVA.AdwindRAT. Once it has penetrated a user’s system, it modifies the registry, spawns many processes, checks for an antivirus installation and tries to kill its process. Additionally, the malware checks for the presence of forensic, monitoring or anti-adware tools, then drops these malicious executable files and makes a connection with a domain in the hidden Tor network. The malware also tries to disable the Windows restore option and turns off the User Account Control feature, which prevents installing a program without the actual user being aware.
What is the purpose of these malware attacks? Most likely, it’s an attempt at spying or a “reconnaissance” action, Comodo Threat Research Lab experts say. The attackers send their “cyberspy” to collect information about the attacked enterprise network and endpoints, thus preparing for the second phase of the cyberattack with additional types of malware. Having the precise information about the enterprise, these cyberattackers can even create malware specifically adjusted to the target environment to bypass all defensive mechanisms of the enterprise and hit the heart of the target.
What is even more interesting is the social engineering aspect of this attack. As experts from the lab have found out, a few recent phishing email attacks also used fake SWIFT messages as camouflage.
One may ask, so why do cybercriminals choose SWIFT for camouflaging?
The reason is rooted in the human psychology behind this. First, when it comes to money and especially banks’ account affairs, every person feels emotional arousal. By contrast, any emotional arousal causes critical thinking reduction—and the chances that the target will click on the malicious bait rises significantly. When it comes to an enterprise’s financial accounts, the emotions rise even more. If an employee receives an email, they will be afraid to not open it. What if they pass up something very important for the enterprise? Could they be punished for not looking into that email? Consequently, the chances that a potential victim will click on the infected file grow.
Here is the heat map and IPs used in this attack.
As you can see, the cybercriminals provided the attack from The Netherlands, Cyprus and Turkey-based IPs. The attackers used the email JoeH@snovalleyprocess.com in which the domain does not actually exist. The attack started on Feb. 9 at 00:00 UTC and ended at 08:56 UTC.
“As we see, cybercriminals more and more often use finance-related topics as a bait to make users download malware and infect an enterprise’s network,” said Fatih Orhan, head of Comodo Threat Research Lab. “They combine technical and human patterns as an explosive combination for breaking down the door to let the malware in. But it only works if the company has been careless about the right defense of that door. Enterprises under Comodo protection have not suffered because the malicious ‘SWIFT message’ was stopped by Comodo’s antispam filters and then recognized and neutralized by experts from Comodo Threat Research Lab.”
Live secure with Comodo!TEST YOUR EMAIL SECURITY