A series of related malware campaigns whose m.o. resembles that of the notorious Carbanak gang has been quietly infecting financial targets since January, including users of the SWIFT bank messaging system that has already been under siege by another bad actor, according to Symantec Corporation in a blog post Tuesday.
This string of campaigns is leveraging a trojan backdoor called Odinaff to gain access into victims' systems before installing additional tools that enable network spying and credential stealing, among other unwanted activities. Upon connecting with a remote host, Odinaff can download and execute RC4 encrypted files as well as issue shell commands. Its victims have been infected by opening documents containing malicious macros or by clicking on links leading to malicious, password-protected RAR archives. In other cases, computers that were previously infected by another malware program were distributed Odinaff via botnet.
Jon DiMaggio, senior threat intelligence analyst with Symantec Security Response, told SCMagazine.com in an email interview that Symantec estimates that approximately 100 organizations have been infected, including many operating in the banking, securities, trading and payroll sectors.
The security software company believes Odinaff is the work of a cybercriminal gang, not a nation-based advanced persistent threat group. Once Odinaff establishes a backdoor, the perpetrators are able to implement a variety of legitimate and malicious tools against their victims, including the backdoors Batel and Gussdoor, open-source password recovery tool Mimikatz, remote desktop software Ammyy Admin and – most notably – a variety of custom-made malware programs that have been crafted especially for a specific victim or computer.
“It is far less common to see sophisticated planned attacks using custom tools in which the attacker takes the time to enumerate the target's environment to identify high-value targets to attack. This type of activity has historically been seen with cyberespionage activity and not cybercrime,” said DiMaggio. “This attack was conducted as a well-thought-out, planned attack over time and took a lot of interacting and hands-on work by the attacker. This increases the risk of being identified and requires both patience and discipline from the attacker.”
Among the Odinaff attacks identified by Symantec, U.S. organizations were targeted most frequently (accounting for 25 percent of infections). The company also detected, in order of frequency, infections in Hong Kong, Australia, the UK, Ukraine and Ireland, as well as in other unspecified regions. Thirty-four percent of attacks were against entities whom Symantec identified as operating in the financial industry, making it by far the most targeted business sector. Although 60 percent of attacks were against organizations or individuals whose business sector was unknown to Symantec, many of these attacks were aimed at computers running financial software applications, a trend that clearly points to a financial motive, Symantec wrote in its blog post.
The Odinaff campaign's penchant for targeting financial institutions mimics the behavior of past attacks by the infamous Carbanak group, but that's not all they have in common. According to Symantec, three of Odinaff's command-and-control IP addresses have been definitively linked to past Carbanak campaigns, and a fourth is likely linked. Also, just like Odinaff, the Carbanak gang made use of the backdoor Batel. However, Carbanak's primary Trojan, Anunak, has not been observed in Odinaff campaigns.
The Symantec blog post concludes that “While it is possible that Odinaff is part of the wider organization, the infrastructure crossover is atypical, meaning it could also be a similar or cooperating group.”
The Odinaff campaign also shares a common bond with the North Korea-linked APT Lazarus Group in that they are both are believed to have recently victimized users of the SWIFT bank messaging system – although the two groups appear to be completely unrelated. According to Symantec, Odinaff's perpetrators have used malware to move and hide records of SWIFT messages warning banking customers of potentially fraudulent transactions – suggesting that the group may be trying to cover up recent compromises of bank accounts and also thwart future investigations into stolen funds.