Organizations in 31 countries have been targeted in a new wave of attacks which has been underway since at least October 2016. The attackers used compromised websites or “watering holes” to infect pre-selected targets with previously unknown malware. There has been no evidence found yet that funds have been stolen from any infected banks.
The attacks came to light when a bank in Poland discovered previously unknown malware running on a number of its computers. The bank then shared indicators of compromise (IOCs) with other institutions and a number of other institutions confirmed that they too had been compromised.
As reported, the source of the attack appears to have been the website of the Polish financial regulator. The attackers compromised the website to redirect visitors to an exploit kit which attempted to install malware on selected targets.
Symantec has blocked attempts to infect customers in Poland, Mexico and Uruguay by the same exploit kit that infected the Polish banks. Since October, 14 attacks against computers in Mexico were blocked, 11 against computers in Uruguay, and two against computers in Poland.
Custom exploit kit
The attackers appear to be using compromised websites to redirect visitors to a customized exploit kit, which is preconfigured to only infect visitors from approximately 150 different IP addresses. These IP addresses belong to 104 different organizations located in 31 different countries. The vast majority of these organizations are banks, with a small number of telecoms and internet firms also on the list.
Figure 1. Countries in which three or more organizations were targeted by attackers
Links to Lazarus?
The malware used in the attacks (Downloader.Ratankba) was previously unidentified, although it was detected by Symantec under generic detection signatures, which are designed to block any files seen to engage in malicious activities.
Analysis of the malware is still underway. Some code strings seen in the malware used shares commonalities with code from malware used by the threat group known as Lazarus.
Ratankba was observed contacting eye-watch[.]in for command and control (C&C) communications. Ratankba was then observed downloading a Hacktool. This Hacktool shows distinctive characteristics shared with malware previously associated with Lazarus.
Figure 2. Code strings seen in sample of Hacktool used in recent attacks
Figure 3. Code strings seen in sample of Hacktool previously associated with Lazarus
Lazarus has been linked to a string of aggressive attacks since 2009, largely focused on targets in the US and South Korea. Lazarus has been involved in high level financial attacks before and some of the tools used in the Bangladesh bank heist shared code similarities with malware used in historic attacks linked to the group.
Further investigation of these attacks is underway and, over time, more evidence may emerge about the identity and motives of the attackers. After a series of high profile attacks on banks during 2016, this latest incident provides a timely reminder of the growing range of threats facing financial institutions.
UPDATE – March 15, 2017:
Further investigation by Symantec into the recent attacks against banks in Poland has uncovered additional links to the threat group known as Lazarus. At the time of our original blog, Symantec had found one link: code strings seen in a Hacktool used in the Polish bank attacks shared distinctive characteristics with malware previously associated with Lazarus.
The number of tentative links Symantec has established has since broadened from one to four. One piece of malware (MD5:91b2558f5319960c85522dc8e372a2b9) found on a computer at one of the Polish targets has been previously used and attributed to the Lazarus group. The previously mentioned Lazarus-linked Hacktool was also found on the same computer at the Polish target.
In addition to this, a sample of Downloader.Ratankba (MD5:cb52c013f7af0219d45953bae663c9a2), which has only been seen in the 2017 Polish Bank attacks, was submitted by a Symantec customer for analysis along with a sample of Backdoor.Destover, the disk-wiping malware linked to Lazarus and used in the Sony Pictures attacks.
A fourth link is the unique trait "del /a %1", which was found in Downloader.Ratankba. It was also identified in multiple malware families linked to Lazarus including Backdoor.Joanap and Backdoor.Destover.
As a result of these findings, Symantec has upgraded its assessment of a Lazarus link. The crossover in tools used leads us to believe there is a reasonable possibility that the Polish bank attacks were the work of attackers linked to Lazarus.
Symantec and Norton products protect against these attacks with the following detections:
The follow are indicators of compromise related to these attacks.
Command and control infrastructure