Ransomware, Malware

Deceptive financial ransomware variant ‘White Rabbit’ emerges in banking

Researchers are calling a new strain of ransomware that targeted a U.S. bank last week “White Rabbit.” Pictured: White rabbits are judged on Jan. 28, 2012, in Harrogate, England. (Photo by Bethany Clarke/Getty Images)

U.S. financial institutions may soon find themselves chasing an elusive “White Rabbit” — a tricky recently discovered strain of ransomware with possible ties to long-time financial crime ring, FIN8.

White Rabbit is a new family of ransomware exploits that has already been discovered making an attack on at least one major U.S. bank last month, according to cybersecurity researchers at Trend Micro, which revealed its findings last week. While ransomware is nothing new to the financial industry, which is typically one of the top three sectors targeted by such attacks, this ransomware could be more difficult to find and weed out than previous strains.

The new twist with this newly uncovered emerging threat is that it “takes a page from Egregor, a more established ransomware family, in hiding its malicious activity and carries a potential connection to the advanced persistent threat group FIN8,” according to a paper issued by researchers. White Rabbit’s payload is also relatively small, just 100 KB that shows "no notable strings and seemingly no activity. The telltale sign of its malicious origin is the presence of strings for logging, but the actual behavior would not be easily observed without the correct password,” according to Trend Micro.

FIN8 has been a financially motivated threat actor, targeting retail and hospitality enterprises as well as financial firms, since at least 2016.

While researchers believe the malware is still in its early stages, it has already proved to be a sneaky bit of code and a potentially formidable threat, according to Trend Micro, which found that White Rabbit’s “payload binary requires a specific command-line password to decrypt its internal configuration and proceed with its ransomware routine,” a ploy for hiding malicious activity used by Egregor.

“White Rabbit’s payload is inconspicuous at first glance, being a small file of around 100 KB with no notable strings and seemingly no activity,” wrote the Trend Micro researchers. “The telltale sign of its malicious origin is the presence of strings for logging, but the actual behavior would not be easily observed without the correct password.” The report was authored by Trend Micro threats analysts Arianne Dela Cruz, Bren Matthew Ebriega, Don Ovid Ladores and Mary Yambao.

Financial services companies are the targets for more than 13% of cyber incursions, mostly ransomware, according to the Threat Landscape Report recently released by Kroll. Indeed, Kroll also found that ransomware has more than doubled between the first and third quarters of last year, from 20% to 46%, to become the leading form of attack.

Trend Micro researchers are still trying to determine whether there is a definitive connection between White Rabbit and FIN8.

"Given that FIN8 is known mostly for its infiltration and reconnaissance tools, the connection could be an indication of how the group is expanding its arsenal to include ransomware,” according to their research. “So far, White Rabbit’s targets have been few, which could mean that they are still testing the waters or warming up for a large-scale attack.”

However it pans out, industry watchers are bracing themselves for things to get worse before they get better.

Guy Moskowitz, CEO of Coro, a cybersecurity platform for mid-sized businesses, is seeing ransomware perpetrators are getting increasingly crafty in their attacks, embedding their malware in the cloud and using various cloud applications to distribute it, as well as developing less obvious code and making it harder to root out.

“As hackers find new and more sophisticated ways to get through, new ransomware entry points are emerging,” Moskowitz said, “and FSIs need to look holistically across all possible vectors to protect themselves and their customers."

Despite being in a nascent phase, "it is important to highlight that it bears the troublesome characteristics of modern ransomware: It is, after all, highly targeted and uses double extortion methods. As such, it is worth monitoring," according to Trend Micro analysts.

“It’s a double-extortion play that uses the command-line password ‘KissMe’ to hide its nasty acts,” it pointed out, “and adorns its ransom note with cutesy ASCII bunny art.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.