Study Finds Finance Industry Being Targeted by iSpy Variant of HawkEye and Two Other Sophisticated Keyloggers

Study Finds Finance Industry Being Targeted by iSpy Variant of HawkEye and Two Other Sophisticated Keyloggers

Lastline report shows criminals are stepping up their game, launching more sophisticated attacks against segment known for security capabilities

REDWOOD CITY, CA, June 5, 2018Lastline®, the leader in advanced network-based malware protection, today announced the immediate availability of its Finance-focused Malscape® Snapshot that reports on the latest attacks and trends targeting the financial services industry and finance departments across segments. Derived from the millions of malware samples that Lastline analyzes every week, the report found three separate strains of keylogger malware that are currently targeting finance.

Lastline’s analysis of the 100 most recent malware samples found among finance firms uncovered an unusually large number of iSpy keylogger samples, which is a variant of the notorious HawkEye logger, a fully functioning keylogger that sends victim’s credentials to a server under the keylogger operator’s control. By intercepting the communication with the command and control server, Lastline detected the active exfiltration of website, email and FTP credentials, as well as license key information for installed products.

The analysis also detected sophisticated Emotet and URSNIF keyloggers being delivered via Microsoft Office documents. These two strains of malware share an evasion module for detecting dynamic analysis environments, and common methods for infiltrating financial transactions such as a man-in-the-middle network sniffing capability and hijacking automated transfer payments. Being modular in nature, criminals have developed and added new features over time, including lateral movement, additional credential theft, and spam capabilities.

“We definitely detected a higher than usual incident of very sophisticated malware,” commented Andy Norton, Lastline Director of Threat Intelligence and the report’s author. “This is not surprising considering that finance has long been a target for cybercriminals and accordingly has elevated their security capabilities. Because of this, criminals are forced to up their game, which was very clearly seen in these recent samples.”

The overall trend data shared in the report covers all threats targeting finance departments across industries plus financial services companies over a 30-day period. Findings that highlights the use of more sophisticated malware against finance includes:

  1. The percentage of total files that Lastline analyzed that were found to be malicious was 47 percent higher than the global data that Lastline reported in its recent Malscape Monitor Report.
  2. The share of malware samples that display all four of the key advanced malware behaviors was 20 percent higher than the global average. Those behaviors are: the malware is packed to avoid static analysis, it evades dynamic analysis, it remains stealthy, and it steals credentials.

The full Malscape Snapshot: Finance report can be downloaded here.

About Lastline

Lastline, Inc. provides breach protection products that are innovating the way companies defend against advanced malware with fewer resources and at lower cost. We deliver the visibility, context, analysis, and integrations enterprise security teams need to quickly and completely eradicate malware-based threats before damaging and costly data breaches occur. Headquartered in Redwood City, California with offices throughout North America, Europe and Asia, Lastline’s technology is used by Global 5000 enterprises, is offered directly and through resellers and security service providers, and is integrated into leading third-party security technologies worldwide.

Media Contact:

John Love

John Love

John Love has been in hi-tech marketing for over 30 years. After spending his first 18 years at Apple, he worked at Logitech and several startups, and has been in security since 2010.
John Love